LsaAddAccountRights (advapi32)
Last changed:

The LsaAddAccountRights function assigns one or more privileges to an account. If the account does not exist, LsaAddAccountRights creates it.

C# Signature:

[DllImport("advapi32.dll", SetLastError=true, PreserveSig=true)]
static extern uint LsaAddAccountRights(
   IntPtr PolicyHandle,
   IntPtr AccountSid,
   uint CountOfRights);

VB Signature:

    Private Declare Unicode Function LsaAddAccountRights Lib "advapi32.dll" ( _
    ByVal PolicyHandle As IntPtr, _
    ByVal AccountSid As IntPtr, _
    ByRef UserRights As LSA_UNICODE_STRING, _
    ByVal CountOfRights As Integer _
    ) As Integer

User-Defined Types:



From the SDK:

If the function succeeds, the return value is STATUS_SUCCESS.

If the function fails, the return value is an NTSTATUS code, which can be the following value or one of the LSA Policy Function Return Values.

Return code Description

STATUS_NO_SUCH_PRIVILEGE One of the privilege names is invalid.

You can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.

Tips & Tricks:

    The UserRights parameter is really an array of LSA_UNICODE_STRINGS

VB.Net Sample Code:

    Private WinWorldSid As Integer = 1
    Private POLICY_ALL_ACCESS As Integer = &HF0FFF
    Private SECURITY_MAX_SID_SIZE As Integer = 68
    Private SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME As String = "SeDenyRemoteInteractiveLogonRight"
    Private NT_STATUS_OBJECT_NAME_NOT_FOUND As Integer = &HC0000034
    Private STATUS_NO_MORE_ENTRIES As Integer = &H8000001A

    ' add the Deny permission
    Public Sub DenyTS(ByVal PC As String)
    Dim ret, Access, sidsize As Integer
    Dim SystemName, DenyTSRights As LSA_UNICODE_STRING
    Dim Policy, EveryoneSID As IntPtr

    ' build a well-known SID for "Everyone"
    EveryoneSID = Marshal.AllocHGlobal(sidsize)
    If CreateWellKnownSid(WinWorldSid, IntPtr.Zero, EveryoneSID, sidsize) = False Then
        ret = Marshal.GetLastWin32Error()
        Throw New Win32Exception(ret)
    End If

    ' setup the parameters for the LsaOpenPolicy API
    ObjectAttr.Length = Marshal.SizeOf(ObjectAttr)
    SystemName.Length = PC.Length * UnicodeEncoding.CharSize
    SystemName.MaximumLength = (PC.Length + 1) * UnicodeEncoding.CharSize
    SystemName.Buffer = Marshal.StringToHGlobalUni(PC)

    ' open a policy handle on the remote PC
    ret = LsaOpenPolicy(SystemName, ObjectAttr, Access, Policy)
    If ret <> 0 Then
        Throw New Win32Exception(LsaNtStatusToWinError(ret))
    End If

    ' clean up

    ' Setup the input parameters for the LsaRemoveAccountRights API
    DenyTSRights.Length = SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME.Length * UnicodeEncoding.CharSize
    DenyTSRights.MaximumLength = (SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME.Length + 1) * UnicodeEncoding.CharSize
    DenyTSRights.Buffer = Marshal.StringToHGlobalUni(SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME)

    ' Do it!
    ret = LsaAddAccountRights(Policy, EveryoneSID, DenyTSRights, 1)
    If ret <> 0 Then
        Throw New Win32Exception(LsaNtStatusToWinError(ret))
    End If

    ' clean up
    End Sub

See LsaOpenPolicy

Alternative Managed API:

Do you know one? Please contribute it!