/*++ BUILD Version: 0006 Increment this if a change has global effects
Copyright (c) 1990-1996 Microsoft Corporation
Module Name:
ntsecapi.h
Abstract:
This module defines the Local Security Authority APIs.
Revision History:
--*/
#ifndef _NTSECAPI_
#define _NTSECAPI_
#ifdef __cplusplus
extern "C" {
#endif
#ifndef _NTDEF_
typedef LONG NTSTATUS, *PNTSTATUS;
#endif
#ifndef _NTLSA_IFS_
// begin_ntifs
//
// Security operation mode of the system is held in a control
// longword.
//
typedef ULONG LSA_OPERATIONAL_MODE, *PLSA_OPERATIONAL_MODE;
// end_ntifs
#endif // _NTLSA_IFS_
//
// The flags in the security operational mode are defined
// as:
//
// PasswordProtected - Some level of authentication (such as
// a password) must be provided by users before they are
// allowed to use the system. Once set, this value will
// not be cleared without re-booting the system.
//
// IndividualAccounts - Each user must identify an account to
// logon to. This flag is only meaningful if the
// PasswordProtected flag is also set. If this flag is
// not set and the PasswordProtected flag is set, then all
// users may logon to the same account. Once set, this value
// will not be cleared without re-booting the system.
//
// MandatoryAccess - Indicates the system is running in a mandatory
// access control mode (e.g., B-level as defined by the U.S.A's
// Department of Defense's "Orange Book"). This is not utilized
// in the current release of NT. This flag is only meaningful
// if both the PasswordProtected and IndividualAccounts flags are
// set. Once set, this value will not be cleared without
// re-booting the system.
//
// LogFull - Indicates the system has been brought up in a mode in
// which if must perform security auditing, but its audit log
// is full. This may (should) restrict the operations that
// can occur until the audit log is made not-full again. THIS
// VALUE MAY BE CLEARED WHILE THE SYSTEM IS RUNNING (I.E., WITHOUT
// REBOOTING).
//
// If the PasswordProtected flag is not set, then the system is running
// without security, and user interface should be adjusted appropriately.
//
#define LSA_MODE_PASSWORD_PROTECTED (0x00000001L)
#define LSA_MODE_INDIVIDUAL_ACCOUNTS (0x00000002L)
#define LSA_MODE_MANDATORY_ACCESS (0x00000004L)
#define LSA_MODE_LOG_FULL (0x00000008L)
#ifndef _NTLSA_IFS_
// begin_ntifs
//
// Used by a logon process to indicate what type of logon is being
// requested.
// NOTE: Proxy logon type is not currently supported in NT 3.x
//
typedef enum _SECURITY_LOGON_TYPE {
Interactive = 2, // Interactively logged on (locally or remotely)
Network, // Accessing system via network
Batch, // Started via a batch queue
Service, // Service started by service controller
Proxy, // Proxy logon
Unlock // Unlock workstation
} SECURITY_LOGON_TYPE, *PSECURITY_LOGON_TYPE;
// end_ntifs
#endif // _NTLSA_IFS_
//
// Audit Event Categories
//
// The following are the built-in types or Categories of audit event.
// WARNING! This structure is subject to expansion. The user should not
// compute the number of elements of this type directly, but instead
// should obtain the count of elements by calling LsaQueryInformationPolicy()
// for the PolicyAuditEventsInformation class and extracting the count from
// the MaximumAuditEventCount field of the returned structure.
//
typedef enum _POLICY_AUDIT_EVENT_TYPE {
AuditCategorySystem,
AuditCategoryLogon,
AuditCategoryObjectAccess,
AuditCategoryPrivilegeUse,
AuditCategoryDetailedTracking,
AuditCategoryPolicyChange,
AuditCategoryAccountManagement
} POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE;
//
// The following defines describe the auditing options for each
// event type
//
// Leave options specified for this event unchanged
#define POLICY_AUDIT_EVENT_UNCHANGED (0x00000000L)
// Audit successful occurrences of events of this type
#define POLICY_AUDIT_EVENT_SUCCESS (0x00000001L)
// Audit failed attempts to cause an event of this type to occur
#define POLICY_AUDIT_EVENT_FAILURE (0x00000002L)
#define POLICY_AUDIT_EVENT_NONE (0x00000004L)
// Mask of valid event auditing options
#define POLICY_AUDIT_EVENT_MASK \
(POLICY_AUDIT_EVENT_SUCCESS | \
POLICY_AUDIT_EVENT_FAILURE | \
POLICY_AUDIT_EVENT_UNCHANGED | \
POLICY_AUDIT_EVENT_NONE)
#ifdef _NTDEF_
// begin_ntifs
typedef UNICODE_STRING LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
typedef STRING LSA_STRING, *PLSA_STRING;
typedef OBJECT_ATTRIBUTES LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
// end_ntifs
#else // _NTDEF_
#ifndef IN
#define IN
#endif
#ifndef OUT
#define OUT
#endif
#ifndef OPTIONAL
#define OPTIONAL
#endif
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
typedef struct _LSA_STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} LSA_STRING, *PLSA_STRING;
typedef struct _LSA_OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PLSA_UNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
} LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
#endif // _NTDEF_
//
// Macro for determining whether an API succeeded.
//
#define LSA_SUCCESS(Error) ((LONG)(Error) >= 0)
#ifndef _NTLSA_IFS_
// begin_ntifs
NTSTATUS
NTAPI
LsaRegisterLogonProcess (
IN PLSA_STRING LogonProcessName,
OUT PHANDLE LsaHandle,
OUT PLSA_OPERATIONAL_MODE SecurityMode
);
// end_ntifs
// begin_ntsrv
NTSTATUS
NTAPI
LsaLogonUser (
IN HANDLE LsaHandle,
IN PLSA_STRING OriginName,
IN SECURITY_LOGON_TYPE LogonType,
IN ULONG AuthenticationPackage,
IN PVOID AuthenticationInformation,
IN ULONG AuthenticationInformationLength,
IN PTOKEN_GROUPS LocalGroups OPTIONAL,
IN PTOKEN_SOURCE SourceContext,
OUT PVOID *ProfileBuffer,
OUT PULONG ProfileBufferLength,
OUT PLUID LogonId,
OUT PHANDLE Token,
OUT PQUOTA_LIMITS Quotas,
OUT PNTSTATUS SubStatus
);
// end_ntsrv
// begin_ntifs
NTSTATUS
NTAPI
LsaLookupAuthenticationPackage (
IN HANDLE LsaHandle,
IN PLSA_STRING PackageName,
OUT PULONG AuthenticationPackage
);
NTSTATUS
NTAPI
LsaFreeReturnBuffer (
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaCallAuthenticationPackage (
IN HANDLE LsaHandle,
IN ULONG AuthenticationPackage,
IN PVOID ProtocolSubmitBuffer,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
);
NTSTATUS
NTAPI
LsaDeregisterLogonProcess (
IN HANDLE LsaHandle
);
NTSTATUS
NTAPI
LsaConnectUntrusted (
OUT PHANDLE LsaHandle
);
// end_ntifs
#endif // _NTLSA_IFS_
////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy Administration API datatypes and defines //
// //
////////////////////////////////////////////////////////////////////////////
//
// Access types for the Policy object
//
#define POLICY_VIEW_LOCAL_INFORMATION 0x00000001L
#define POLICY_VIEW_AUDIT_INFORMATION 0x00000002L
#define POLICY_GET_PRIVATE_INFORMATION 0x00000004L
#define POLICY_TRUST_ADMIN 0x00000008L
#define POLICY_CREATE_ACCOUNT 0x00000010L
#define POLICY_CREATE_SECRET 0x00000020L
#define POLICY_CREATE_PRIVILEGE 0x00000040L
#define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080L
#define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100L
#define POLICY_AUDIT_LOG_ADMIN 0x00000200L
#define POLICY_SERVER_ADMIN 0x00000400L
#define POLICY_LOOKUP_NAMES 0x00000800L
#define POLICY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
POLICY_VIEW_LOCAL_INFORMATION |\
POLICY_VIEW_AUDIT_INFORMATION |\
POLICY_GET_PRIVATE_INFORMATION |\
POLICY_TRUST_ADMIN |\
POLICY_CREATE_ACCOUNT |\
POLICY_CREATE_SECRET |\
POLICY_CREATE_PRIVILEGE |\
POLICY_SET_DEFAULT_QUOTA_LIMITS |\
POLICY_SET_AUDIT_REQUIREMENTS |\
POLICY_AUDIT_LOG_ADMIN |\
POLICY_SERVER_ADMIN |\
POLICY_LOOKUP_NAMES )
#define POLICY_READ (STANDARD_RIGHTS_READ |\
POLICY_VIEW_AUDIT_INFORMATION |\
POLICY_GET_PRIVATE_INFORMATION)
#define POLICY_WRITE (STANDARD_RIGHTS_WRITE |\
POLICY_TRUST_ADMIN |\
POLICY_CREATE_ACCOUNT |\
POLICY_CREATE_SECRET |\
POLICY_CREATE_PRIVILEGE |\
POLICY_SET_DEFAULT_QUOTA_LIMITS |\
POLICY_SET_AUDIT_REQUIREMENTS |\
POLICY_AUDIT_LOG_ADMIN |\
POLICY_SERVER_ADMIN)
#define POLICY_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
POLICY_VIEW_LOCAL_INFORMATION |\
POLICY_LOOKUP_NAMES )
//
// Policy object specific data types.
//
//
// The following data type is used to identify a domain
//
typedef struct _LSA_TRUST_INFORMATION {
LSA_UNICODE_STRING Name;
PSID Sid;
} LSA_TRUST_INFORMATION, *PLSA_TRUST_INFORMATION;
// where members have the following usage:
//
// Name - The name of the domain.
//
// Sid - A pointer to the Sid of the Domain
//
//
// The following data type is used in name and SID lookup services to
// describe the domains referenced in the lookup operation.
//
typedef struct _LSA_REFERENCED_DOMAIN_LIST {
ULONG Entries;
PLSA_TRUST_INFORMATION Domains;
} LSA_REFERENCED_DOMAIN_LIST, *PLSA_REFERENCED_DOMAIN_LIST;
// where members have the following usage:
//
// Entries - Is a count of the number of domains described in the
// Domains array.
//
// Domains - Is a pointer to an array of Entries LSA_TRUST_INFORMATION data
// structures.
//
//
// The following data type is used in name to SID lookup services to describe
// the domains referenced in the lookup operation.
//
typedef struct _LSA_TRANSLATED_SID {
SID_NAME_USE Use;
ULONG RelativeId;
LONG DomainIndex;
} LSA_TRANSLATED_SID, *PLSA_TRANSLATED_SID;
// where members have the following usage:
//
// Use - identifies the use of the SID. If this value is SidUnknown or
// SidInvalid, then the remainder of the record is not set and
// should be ignored.
//
// RelativeId - Contains the relative ID of the translated SID. The
// remainder of the SID (the prefix) is obtained using the
// DomainIndex field.
//
// DomainIndex - Is the index of an entry in a related
// LSA_REFERENCED_DOMAIN_LIST data structure describing the
// domain in which the account was found.
//
// If there is no corresponding reference domain for an entry, then
// this field will contain a negative value.
//
//
// The following data type is used in SID to name lookup services to
// describe the domains referenced in the lookup operation.
//
typedef struct _LSA_TRANSLATED_NAME {
SID_NAME_USE Use;
LSA_UNICODE_STRING Name;
LONG DomainIndex;
} LSA_TRANSLATED_NAME, *PLSA_TRANSLATED_NAME;
// where the members have the following usage:
//
// Use - Identifies the use of the name. If this value is SidUnknown
// or SidInvalid, then the remainder of the record is not set and
// should be ignored. If this value is SidWellKnownGroup then the
// Name field is invalid, but the DomainIndex field is not.
//
// Name - Contains the isolated name of the translated SID.
//
// DomainIndex - Is the index of an entry in a related
// LSA_REFERENCED_DOMAIN_LIST data structure describing the domain
// in which the account was found.
//
// If there is no corresponding reference domain for an entry, then
// this field will contain a negative value.
//
//
// The following data type is used to represent the role of the LSA
// server (primary or backup).
//
typedef enum _POLICY_LSA_SERVER_ROLE {
PolicyServerRoleBackup = 2,
PolicyServerRolePrimary
} POLICY_LSA_SERVER_ROLE, *PPOLICY_LSA_SERVER_ROLE;
//
// The following data type is used to represent the state of the LSA
// server (enabled or disabled). Some operations may only be performed on
// an enabled LSA server.
//
typedef enum _POLICY_SERVER_ENABLE_STATE {
PolicyServerEnabled = 2,
PolicyServerDisabled
} POLICY_SERVER_ENABLE_STATE, *PPOLICY_SERVER_ENABLE_STATE;
//
// The following data type is used to specify the auditing options for
// an Audit Event Type.
//
typedef ULONG POLICY_AUDIT_EVENT_OPTIONS, *PPOLICY_AUDIT_EVENT_OPTIONS;
// where the following flags can be set:
//
// POLICY_AUDIT_EVENT_UNCHANGED - Leave existing auditing options
// unchanged for events of this type. This flag is only used for
// set operations. If this flag is set, then all other flags
// are ignored.
//
// POLICY_AUDIT_EVENT_NONE - Cancel all auditing options for events
// of this type. If this flag is set, the success/failure flags
// are ignored.
//
// POLICY_AUDIT_EVENT_SUCCESS - When auditing is enabled, audit all
// successful occurrences of events of the given type.
//
// POLICY_AUDIT_EVENT_FAILURE - When auditing is enabled, audit all
// unsuccessful occurrences of events of the given type.
//
//
// The following data type is used to return information about privileges
// defined on a system.
//
typedef struct _POLICY_PRIVILEGE_DEFINITION {
LSA_UNICODE_STRING Name;
LUID LocalValue;
} POLICY_PRIVILEGE_DEFINITION, *PPOLICY_PRIVILEGE_DEFINITION;
// where the members have the following usage:
//
// Name - Is the architected name of the privilege. This is the
// primary key of the privilege and the only value that is
// transportable between systems.
//
// Luid - is a LUID value assigned locally for efficient representation
// of the privilege. Ths value is meaningful only on the system it
// was assigned on and is not transportable in any way.
//
//
// The following data type defines the classes of Policy Information
// that may be queried/set.
//
typedef enum _POLICY_INFORMATION_CLASS {
PolicyAuditLogInformation = 1,
PolicyAuditEventsInformation,
PolicyPrimaryDomainInformation,
PolicyPdAccountInformation,
PolicyAccountDomainInformation,
PolicyLsaServerRoleInformation,
PolicyReplicaSourceInformation,
PolicyDefaultQuotaInformation,
PolicyModificationInformation,
PolicyAuditFullSetInformation,
PolicyAuditFullQueryInformation
} POLICY_INFORMATION_CLASS, *PPOLICY_INFORMATION_CLASS;
//
// The following data type corresponds to the PolicyAuditLogInformation
// information class. It is used to represent information relating to
// the Audit Log.
//
// This structure may be used in both query and set operations. However,
// when used in set operations, some fields are ignored.
//
typedef struct _POLICY_AUDIT_LOG_INFO {
ULONG AuditLogPercentFull;
ULONG MaximumLogSize;
LARGE_INTEGER AuditRetentionPeriod;
BOOLEAN AuditLogFullShutdownInProgress;
LARGE_INTEGER TimeToShutdown;
ULONG NextAuditRecordId;
} POLICY_AUDIT_LOG_INFO, *PPOLICY_AUDIT_LOG_INFO;
// where the members have the following usage:
//
// AuditLogPercentFull - Indicates the percentage of the Audit Log
// currently being used.
//
// MaximumLogSize - Specifies the maximum size of the Audit Log in
// kilobytes.
//
// AuditRetentionPeriod - Indicates the length of time that Audit
// Records are to be retained. Audit Records are discardable
// if their timestamp predates the current time minus the
// retention period.
//
// AuditLogFullShutdownInProgress - Indicates whether or not a system
// shutdown is being initiated due to the security Audit Log becoming
// full. This condition will only occur if the system is configured
// to shutdown when the log becomes full.
//
// TRUE indicates that a shutdown is in progress
// FALSE indicates that a shutdown is not in progress.
//
// Once a shutdown has been initiated, this flag will be set to
// TRUE. If an administrator is able to currect the situation
// before the shutdown becomes irreversible, then this flag will
// be reset to false.
//
// This field is ignored for set operations.
//
// TimeToShutdown - If the AuditLogFullShutdownInProgress flag is set,
// then this field contains the time left before the shutdown
// becomes irreversible.
//
// This field is ignored for set operations.
//
//
// The following data type corresponds to the PolicyAuditEventsInformation
// information class. It is used to represent information relating to
// the audit requirements.
//
typedef struct _POLICY_AUDIT_EVENTS_INFO {
BOOLEAN AuditingMode;
PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
ULONG MaximumAuditEventCount;
} POLICY_AUDIT_EVENTS_INFO, *PPOLICY_AUDIT_EVENTS_INFO;
// where the members have the following usage:
//
// AuditingMode - A Boolean variable specifying the Auditing Mode value.
// This value is interpreted as follows:
//
// TRUE - Auditing is to be enabled (set operations) or is enabled
// (query operations). Audit Records will be generated according
// to the Event Auditing Options in effect (see the
// EventAuditingOptions field.
//
// FALSE - Auditing is to be disabled (set operations) or is
// disabled (query operations). No Audit Records will be
// generated. Note that for set operations the Event Auditing
// Options in effect will still be updated as specified by the
// EventAuditingOptions field whether Auditing is enabled or
// disabled.
//
// EventAuditingOptions - Pointer to an array of Auditing Options
// indexed by Audit Event Type.
//
// MaximumAuditEventCount - Specifiesa count of the number of Audit
// Event Types specified by the EventAuditingOptions parameter. If
// this count is less than the number of Audit Event Types supported
// by the system, the Auditing Options for Event Types with IDs
// higher than (MaximumAuditEventCount + 1) are left unchanged.
//
//
// The following structure corresponds to the PolicyAccountDomainInformation
// information class.
//
typedef struct _POLICY_ACCOUNT_DOMAIN_INFO {
LSA_UNICODE_STRING DomainName;
PSID DomainSid;
} POLICY_ACCOUNT_DOMAIN_INFO, *PPOLICY_ACCOUNT_DOMAIN_INFO;
// where the members have the following usage:
//
// DomainName - Is the name of the domain
//
// DomainSid - Is the Sid of the domain
//
//
// The following structure corresponds to the PolicyPrimaryDomainInformation
// information class.
//
typedef struct _POLICY_PRIMARY_DOMAIN_INFO {
LSA_UNICODE_STRING Name;
PSID Sid;
} POLICY_PRIMARY_DOMAIN_INFO, *PPOLICY_PRIMARY_DOMAIN_INFO;
// where the members have the following usage:
//
// Name - Is the name of the domain
//
// Sid - Is the Sid of the domain
//
//
// The following structure corresponds to the PolicyPdAccountInformation
// information class. This structure may be used in Query operations
// only.
//
typedef struct _POLICY_PD_ACCOUNT_INFO {
LSA_UNICODE_STRING Name;
} POLICY_PD_ACCOUNT_INFO, *PPOLICY_PD_ACCOUNT_INFO;
// where the members have the following usage:
//
// Name - Is the name of an account in the domain that should be used
// for authentication and name/ID lookup requests.
//
//
// The following structure corresponds to the PolicyLsaServerRoleInformation
// information class.
//
typedef struct _POLICY_LSA_SERVER_ROLE_INFO {
POLICY_LSA_SERVER_ROLE LsaServerRole;
} POLICY_LSA_SERVER_ROLE_INFO, *PPOLICY_LSA_SERVER_ROLE_INFO;
// where the fields have the following usage:
//
// TBS
//
//
// The following structure corresponds to the PolicyReplicaSourceInformation
// information class.
//
typedef struct _POLICY_REPLICA_SOURCE_INFO {
LSA_UNICODE_STRING ReplicaSource;
LSA_UNICODE_STRING ReplicaAccountName;
} POLICY_REPLICA_SOURCE_INFO, *PPOLICY_REPLICA_SOURCE_INFO;
//
// The following structure corresponds to the PolicyDefaultQuotaInformation
// information class.
//
typedef struct _POLICY_DEFAULT_QUOTA_INFO {
QUOTA_LIMITS QuotaLimits;
} POLICY_DEFAULT_QUOTA_INFO, *PPOLICY_DEFAULT_QUOTA_INFO;
//
// The following structure corresponds to the PolicyModificationInformation
// information class.
//
typedef struct _POLICY_MODIFICATION_INFO {
LARGE_INTEGER ModifiedId;
LARGE_INTEGER DatabaseCreationTime;
} POLICY_MODIFICATION_INFO, *PPOLICY_MODIFICATION_INFO;
// where the members have the following usage:
//
// ModifiedId - Is a 64-bit unsigned integer that is incremented each
// time anything in the LSA database is modified. This value is
// only modified on Primary Domain Controllers.
//
// DatabaseCreationTime - Is the date/time that the LSA Database was
// created. On Backup Domain Controllers, this value is replicated
// from the Primary Domain Controller.
//
//
// The following structure type corresponds to the PolicyAuditFullSetInformation
// Information Class.
//
typedef struct _POLICY_AUDIT_FULL_SET_INFO {
BOOLEAN ShutDownOnFull;
} POLICY_AUDIT_FULL_SET_INFO, *PPOLICY_AUDIT_FULL_SET_INFO;
//
// The following structure type corresponds to the PolicyAuditFullQueryInformation
// Information Class.
//
typedef struct _POLICY_AUDIT_FULL_QUERY_INFO {
BOOLEAN ShutDownOnFull;
BOOLEAN LogIsFull;
} POLICY_AUDIT_FULL_QUERY_INFO, *PPOLICY_AUDIT_FULL_QUERY_INFO;
//
// LSA RPC Context Handle (Opaque form). Note that a Context Handle is
// always a pointer type unlike regular handles.
//
typedef PVOID LSA_HANDLE, *PLSA_HANDLE;
//
// Trusted Domain Object specific data types
//
//
// This data type defines the following information classes that may be
// queried or set.
//
typedef enum _TRUSTED_INFORMATION_CLASS {
TrustedDomainNameInformation = 1,
TrustedControllersInformation,
TrustedPosixOffsetInformation,
TrustedPasswordInformation
} TRUSTED_INFORMATION_CLASS, *PTRUSTED_INFORMATION_CLASS;
//
// The following data type corresponds to the TrustedDomainNameInformation
// information class.
//
typedef struct _TRUSTED_DOMAIN_NAME_INFO {
LSA_UNICODE_STRING Name;
} TRUSTED_DOMAIN_NAME_INFO, *PTRUSTED_DOMAIN_NAME_INFO;
// where members have the following meaning:
//
// Name - The name of the Trusted Domain.
//
//
// The following data type corresponds to the TrustedControllersInformation
// information class.
//
typedef struct _TRUSTED_CONTROLLERS_INFO {
ULONG Entries;
PLSA_UNICODE_STRING Names;
} TRUSTED_CONTROLLERS_INFO, *PTRUSTED_CONTROLLERS_INFO;
// where members have the following meaning:
//
// Entries - Indicate how mamy entries there are in the Names array.
//
// Names - Pointer to an array of LSA_UNICODE_STRING structures containing the
// names of domain controllers of the domain. This information may not
// be accurate and should be used only as a hint. The order of this
// list is considered significant and will be maintained.
//
// By convention, the first name in this list is assumed to be the
// Primary Domain Controller of the domain. If the Primary Domain
// Controller is not known, the first name should be set to the NULL
// string.
//
//
// The following data type corresponds to the TrustedPosixOffsetInformation
// information class.
//
typedef struct _TRUSTED_POSIX_OFFSET_INFO {
ULONG Offset;
} TRUSTED_POSIX_OFFSET_INFO, *PTRUSTED_POSIX_OFFSET_INFO;
// where members have the following meaning:
//
// Offset - Is an offset to use for the generation of Posix user and group
// IDs from SIDs. The Posix ID corresponding to any particular SID is
// generated by adding the RID of that SID to the Offset of the SID's
// corresponding TrustedDomain object.
//
//
// The following data type corresponds to the TrustedPasswordInformation
// information class.
//
typedef struct _TRUSTED_PASSWORD_INFO {
LSA_UNICODE_STRING Password;
LSA_UNICODE_STRING OldPassword;
} TRUSTED_PASSWORD_INFO, *PTRUSTED_PASSWORD_INFO;
//
// LSA Enumeration Context
//
typedef ULONG LSA_ENUMERATION_HANDLE, *PLSA_ENUMERATION_HANDLE;
//
// LSA Enumeration Information
//
typedef struct _LSA_ENUMERATION_INFORMATION {
PSID Sid;
} LSA_ENUMERATION_INFORMATION, *PLSA_ENUMERATION_INFORMATION;
�
////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - Miscellaneous API function prototypes //
// //
////////////////////////////////////////////////////////////////////////////
NTSTATUS
NTAPI
LsaFreeMemory(
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaClose(
IN LSA_HANDLE ObjectHandle
);
NTSTATUS
NTAPI
LsaOpenPolicy(
IN PLSA_UNICODE_STRING SystemName OPTIONAL,
IN PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
IN ACCESS_MASK DesiredAccess,
IN OUT PLSA_HANDLE PolicyHandle
);
NTSTATUS
NTAPI
LsaQueryInformationPolicy(
IN LSA_HANDLE PolicyHandle,
IN POLICY_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer
);
NTSTATUS
NTAPI
LsaSetInformationPolicy(
IN LSA_HANDLE PolicyHandle,
IN POLICY_INFORMATION_CLASS InformationClass,
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaEnumerateTrustedDomains(
IN LSA_HANDLE PolicyHandle,
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
OUT PVOID *Buffer,
IN ULONG PreferedMaximumLength,
OUT PULONG CountReturned
);
NTSTATUS
NTAPI
LsaLookupNames(
IN LSA_HANDLE PolicyHandle,
IN ULONG Count,
IN PLSA_UNICODE_STRING Names,
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
OUT PLSA_TRANSLATED_SID *Sids
);
NTSTATUS
NTAPI
LsaLookupSids(
IN LSA_HANDLE PolicyHandle,
IN ULONG Count,
IN PSID *Sids,
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
OUT PLSA_TRANSLATED_NAME *Names
);
#define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight")
#define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
#define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
//
// This new API returns all the accounts with a certain privilege
//
NTSTATUS
NTAPI
LsaEnumerateAccountsWithUserRight(
IN LSA_HANDLE PolicyHandle,
IN OPTIONAL PLSA_UNICODE_STRING UserRights,
OUT PVOID *EnumerationBuffer,
OUT PULONG CountReturned
);
//
// These new APIs differ by taking a SID instead of requiring the caller
// to open the account first and passing in an account handle
//
NTSTATUS
NTAPI
LsaEnumerateAccountRights(
IN LSA_HANDLE PolicyHandle,
IN PSID AccountSid,
OUT PLSA_UNICODE_STRING *UserRights,
OUT PULONG CountOfRights
);
NTSTATUS
NTAPI
LsaAddAccountRights(
IN LSA_HANDLE PolicyHandle,
IN PSID AccountSid,
IN PLSA_UNICODE_STRING UserRights,
IN ULONG CountOfRights
);
NTSTATUS
NTAPI
LsaRemoveAccountRights(
IN LSA_HANDLE PolicyHandle,
IN PSID AccountSid,
IN BOOLEAN AllRights,
IN PLSA_UNICODE_STRING UserRights,
IN ULONG CountOfRights
);
///////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - Trusted Domain Object API function prototypes //
// //
///////////////////////////////////////////////////////////////////////////////
NTSTATUS
NTAPI
LsaQueryTrustedDomainInfo(
IN LSA_HANDLE PolicyHandle,
IN PSID TrustedDomainSid,
IN TRUSTED_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer
);
NTSTATUS
NTAPI
LsaSetTrustedDomainInformation(
IN LSA_HANDLE PolicyHandle,
IN PSID TrustedDomainSid,
IN TRUSTED_INFORMATION_CLASS InformationClass,
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaDeleteTrustedDomain(
IN LSA_HANDLE PolicyHandle,
IN PSID TrustedDomainSid
);
//
// This API sets the workstation password (equivalent of setting/getting
// the SSI_SECRET_NAME secret)
//
NTSTATUS
NTAPI
LsaStorePrivateData(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING KeyName,
IN PLSA_UNICODE_STRING PrivateData
);
NTSTATUS
NTAPI
LsaRetrievePrivateData(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING KeyName,
OUT PLSA_UNICODE_STRING * PrivateData
);
ULONG
NTAPI
LsaNtStatusToWinError(
NTSTATUS Status
);
//
// Define a symbol so we can tell if ntifs.h has been included.
//
// begin_ntifs
#ifndef _NTLSA_IFS_
#define _NTLSA_IFS_
#endif
// end_ntifs
#ifndef _NTDEF_
typedef LSA_UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING;
#endif
typedef NTSTATUS (*PSAM_PASSWORD_NOTIFICATION_ROUTINE) (
PUNICODE_STRING UserName,
ULONG RelativeId,
PUNICODE_STRING NewPassword
);
#define SAM_PASSWORD_CHANGE_NOTIFY_ROUTINE "PasswordChangeNotify"
typedef BOOLEAN (*PSAM_INIT_NOTIFICATION_ROUTINE) (
);
#define SAM_INIT_NOTIFICATION_ROUTINE "InitializeChangeNotify"
#define SAM_PASSWORD_FILTER_ROUTINE "PasswordFilter"
typedef BOOLEAN (*PSAM_PASSWORD_FILTER_ROUTINE) (
IN PUNICODE_STRING AccountName,
IN PUNICODE_STRING FullName,
IN PUNICODE_STRING Password,
IN BOOLEAN SetOperation
);
#ifdef __cplusplus
}
#endif
#endif /* _NTSECAPI_ */
