pinvoke.net: Edit: advapi32.lsaaddaccountrights

@msdn=http://search.microsoft.com/search/results.aspx?qu=$$$
@pinvoke=http://pinvoke.net/$$$.htm

Summary: The LsaAddAccountRights function assigns one or more privileges to an account. If the account does not exist, LsaAddAccountRights creates it.

!!!!C# Signature:
 [DllImport("advapi32.dll", SetLastError=true, PreserveSig=true)]
 static extern uint LsaAddAccountRights(
   IntPtr PolicyHandle,
   IntPtr AccountSid,
   LSA_UNICODE_STRING[] UserRights,
   uint CountOfRights);

!!!!VB Signature:
    Private Declare Unicode Function LsaAddAccountRights Lib "advapi32.dll" ( _
        ByVal PolicyHandle As IntPtr, _
        ByVal AccountSid As IntPtr, _
        ByRef UserRights As LSA_UNICODE_STRING, _
        ByVal CountOfRights As Integer _
    ) As Integer
!!!!User-Defined Types:
None.

!!!!Notes:
From the SDK:
If the function succeeds, the return value is STATUS_SUCCESS.

If the function fails, the return value is an NTSTATUS code, which can be the following value or one of the LSA Policy Function Return Values.

Return code Description 
STATUS_NO_SUCH_PRIVILEGE One of the privilege names is invalid.

You can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.

!!!!Tips & Tricks:
    The UserRights parameter is really an array of LSA_UNICODE_STRINGS

!!!! VB.Net Sample Code:
    Private WinWorldSid As Integer = 1
    Private POLICY_ALL_ACCESS As Integer = &HF0FFF
    Private SECURITY_MAX_SID_SIZE As Integer = 68
    Private SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME As String = "SeDenyRemoteInteractiveLogonRight"
    Private NT_STATUS_OBJECT_NAME_NOT_FOUND As Integer = &HC0000034
    Private STATUS_NO_MORE_ENTRIES As Integer = &H8000001A

' add the Deny permission
    Public Sub DenyTS(ByVal PC As String)
        Dim ret, Access, sidsize As Integer
        Dim SystemName, DenyTSRights As LSA_UNICODE_STRING
        Dim ObjectAttr As LSA_OBJECT_ATTRIBUTES
        Dim Policy, EveryoneSID As IntPtr

' build a well-known SID for "Everyone"
        sidsize = SECURITY_MAX_SID_SIZE
        EveryoneSID = Marshal.AllocHGlobal(sidsize)
        If CreateWellKnownSid(WinWorldSid, IntPtr.Zero, EveryoneSID, sidsize) = False Then
            ret = Marshal.GetLastWin32Error()
            Throw New Win32Exception(ret)
        End If

' setup the parameters for the LsaOpenPolicy API
        ObjectAttr.Length = Marshal.SizeOf(ObjectAttr)
        SystemName.Length = PC.Length * UnicodeEncoding.CharSize
        SystemName.MaximumLength = (PC.Length + 1) * UnicodeEncoding.CharSize
        SystemName.Buffer = Marshal.StringToHGlobalUni(PC)
        Access = POLICY_ALL_ACCESS

' open a policy handle on the remote PC
        ret = LsaOpenPolicy(SystemName, ObjectAttr, Access, Policy)
        If ret <> 0 Then
            Throw New Win32Exception(LsaNtStatusToWinError(ret))
        End If

' clean up
        Marshal.FreeHGlobal(SystemName.Buffer)

' Setup the input parameters for the LsaRemoveAccountRights API
        DenyTSRights.Length = SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME.Length * UnicodeEncoding.CharSize
        DenyTSRights.MaximumLength = (SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME.Length + 1) * UnicodeEncoding.CharSize
        DenyTSRights.Buffer = Marshal.StringToHGlobalUni(SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME)

' Do it!
        ret = LsaAddAccountRights(Policy, EveryoneSID, DenyTSRights, 1)
        If ret <> 0 Then
            Marshal.FreeHGlobal(DenyTSRights.Buffer)
            LsaClose(Policy)
            Throw New Win32Exception(LsaNtStatusToWinError(ret))
        End If

' clean up
        Marshal.FreeHGlobal(DenyTSRights.Buffer)
        LsaClose(Policy)
    End Sub

See LsaOpenPolicy

!!!!Alternative Managed API:
Do you know one?  Please contribute it!

Documentation: LsaAddAccountRights@msdn on MSDN