1149 lines
30 KiB
C
1149 lines
30 KiB
C
/*++ BUILD Version: 0006 Increment this if a change has global effects
|
||
|
||
Copyright (c) 1990-1996 Microsoft Corporation
|
||
|
||
Module Name:
|
||
|
||
ntsecapi.h
|
||
|
||
Abstract:
|
||
|
||
This module defines the Local Security Authority APIs.
|
||
|
||
Revision History:
|
||
|
||
--*/
|
||
|
||
#ifndef _NTSECAPI_
|
||
#define _NTSECAPI_
|
||
|
||
#ifdef __cplusplus
|
||
extern "C" {
|
||
#endif
|
||
|
||
#ifndef _NTDEF_
|
||
typedef LONG NTSTATUS, *PNTSTATUS;
|
||
#endif
|
||
|
||
#ifndef _NTLSA_IFS_
|
||
// begin_ntifs
|
||
|
||
|
||
//
|
||
// Security operation mode of the system is held in a control
|
||
// longword.
|
||
//
|
||
|
||
typedef ULONG LSA_OPERATIONAL_MODE, *PLSA_OPERATIONAL_MODE;
|
||
|
||
// end_ntifs
|
||
#endif // _NTLSA_IFS_
|
||
|
||
//
|
||
// The flags in the security operational mode are defined
|
||
// as:
|
||
//
|
||
// PasswordProtected - Some level of authentication (such as
|
||
// a password) must be provided by users before they are
|
||
// allowed to use the system. Once set, this value will
|
||
// not be cleared without re-booting the system.
|
||
//
|
||
// IndividualAccounts - Each user must identify an account to
|
||
// logon to. This flag is only meaningful if the
|
||
// PasswordProtected flag is also set. If this flag is
|
||
// not set and the PasswordProtected flag is set, then all
|
||
// users may logon to the same account. Once set, this value
|
||
// will not be cleared without re-booting the system.
|
||
//
|
||
// MandatoryAccess - Indicates the system is running in a mandatory
|
||
// access control mode (e.g., B-level as defined by the U.S.A's
|
||
// Department of Defense's "Orange Book"). This is not utilized
|
||
// in the current release of NT. This flag is only meaningful
|
||
// if both the PasswordProtected and IndividualAccounts flags are
|
||
// set. Once set, this value will not be cleared without
|
||
// re-booting the system.
|
||
//
|
||
// LogFull - Indicates the system has been brought up in a mode in
|
||
// which if must perform security auditing, but its audit log
|
||
// is full. This may (should) restrict the operations that
|
||
// can occur until the audit log is made not-full again. THIS
|
||
// VALUE MAY BE CLEARED WHILE THE SYSTEM IS RUNNING (I.E., WITHOUT
|
||
// REBOOTING).
|
||
//
|
||
// If the PasswordProtected flag is not set, then the system is running
|
||
// without security, and user interface should be adjusted appropriately.
|
||
//
|
||
|
||
#define LSA_MODE_PASSWORD_PROTECTED (0x00000001L)
|
||
#define LSA_MODE_INDIVIDUAL_ACCOUNTS (0x00000002L)
|
||
#define LSA_MODE_MANDATORY_ACCESS (0x00000004L)
|
||
#define LSA_MODE_LOG_FULL (0x00000008L)
|
||
|
||
#ifndef _NTLSA_IFS_
|
||
// begin_ntifs
|
||
//
|
||
// Used by a logon process to indicate what type of logon is being
|
||
// requested.
|
||
// NOTE: Proxy logon type is not currently supported in NT 3.x
|
||
//
|
||
|
||
typedef enum _SECURITY_LOGON_TYPE {
|
||
Interactive = 2, // Interactively logged on (locally or remotely)
|
||
Network, // Accessing system via network
|
||
Batch, // Started via a batch queue
|
||
Service, // Service started by service controller
|
||
Proxy, // Proxy logon
|
||
Unlock // Unlock workstation
|
||
} SECURITY_LOGON_TYPE, *PSECURITY_LOGON_TYPE;
|
||
|
||
// end_ntifs
|
||
#endif // _NTLSA_IFS_
|
||
|
||
|
||
//
|
||
// Audit Event Categories
|
||
//
|
||
// The following are the built-in types or Categories of audit event.
|
||
// WARNING! This structure is subject to expansion. The user should not
|
||
// compute the number of elements of this type directly, but instead
|
||
// should obtain the count of elements by calling LsaQueryInformationPolicy()
|
||
// for the PolicyAuditEventsInformation class and extracting the count from
|
||
// the MaximumAuditEventCount field of the returned structure.
|
||
//
|
||
|
||
typedef enum _POLICY_AUDIT_EVENT_TYPE {
|
||
|
||
AuditCategorySystem,
|
||
AuditCategoryLogon,
|
||
AuditCategoryObjectAccess,
|
||
AuditCategoryPrivilegeUse,
|
||
AuditCategoryDetailedTracking,
|
||
AuditCategoryPolicyChange,
|
||
AuditCategoryAccountManagement
|
||
|
||
} POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE;
|
||
|
||
|
||
//
|
||
// The following defines describe the auditing options for each
|
||
// event type
|
||
//
|
||
|
||
// Leave options specified for this event unchanged
|
||
|
||
#define POLICY_AUDIT_EVENT_UNCHANGED (0x00000000L)
|
||
|
||
// Audit successful occurrences of events of this type
|
||
|
||
#define POLICY_AUDIT_EVENT_SUCCESS (0x00000001L)
|
||
|
||
// Audit failed attempts to cause an event of this type to occur
|
||
|
||
#define POLICY_AUDIT_EVENT_FAILURE (0x00000002L)
|
||
|
||
#define POLICY_AUDIT_EVENT_NONE (0x00000004L)
|
||
|
||
// Mask of valid event auditing options
|
||
|
||
#define POLICY_AUDIT_EVENT_MASK \
|
||
(POLICY_AUDIT_EVENT_SUCCESS | \
|
||
POLICY_AUDIT_EVENT_FAILURE | \
|
||
POLICY_AUDIT_EVENT_UNCHANGED | \
|
||
POLICY_AUDIT_EVENT_NONE)
|
||
|
||
|
||
#ifdef _NTDEF_
|
||
// begin_ntifs
|
||
typedef UNICODE_STRING LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
|
||
typedef STRING LSA_STRING, *PLSA_STRING;
|
||
typedef OBJECT_ATTRIBUTES LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
|
||
// end_ntifs
|
||
#else // _NTDEF_
|
||
|
||
#ifndef IN
|
||
#define IN
|
||
#endif
|
||
|
||
#ifndef OUT
|
||
#define OUT
|
||
#endif
|
||
|
||
#ifndef OPTIONAL
|
||
#define OPTIONAL
|
||
#endif
|
||
|
||
|
||
typedef struct _LSA_UNICODE_STRING {
|
||
USHORT Length;
|
||
USHORT MaximumLength;
|
||
PWSTR Buffer;
|
||
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
|
||
|
||
typedef struct _LSA_STRING {
|
||
USHORT Length;
|
||
USHORT MaximumLength;
|
||
PCHAR Buffer;
|
||
} LSA_STRING, *PLSA_STRING;
|
||
|
||
typedef struct _LSA_OBJECT_ATTRIBUTES {
|
||
ULONG Length;
|
||
HANDLE RootDirectory;
|
||
PLSA_UNICODE_STRING ObjectName;
|
||
ULONG Attributes;
|
||
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
|
||
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
|
||
} LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
|
||
|
||
|
||
|
||
#endif // _NTDEF_
|
||
|
||
//
|
||
// Macro for determining whether an API succeeded.
|
||
//
|
||
|
||
#define LSA_SUCCESS(Error) ((LONG)(Error) >= 0)
|
||
|
||
#ifndef _NTLSA_IFS_
|
||
// begin_ntifs
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaRegisterLogonProcess (
|
||
IN PLSA_STRING LogonProcessName,
|
||
OUT PHANDLE LsaHandle,
|
||
OUT PLSA_OPERATIONAL_MODE SecurityMode
|
||
);
|
||
|
||
// end_ntifs
|
||
// begin_ntsrv
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaLogonUser (
|
||
IN HANDLE LsaHandle,
|
||
IN PLSA_STRING OriginName,
|
||
IN SECURITY_LOGON_TYPE LogonType,
|
||
IN ULONG AuthenticationPackage,
|
||
IN PVOID AuthenticationInformation,
|
||
IN ULONG AuthenticationInformationLength,
|
||
IN PTOKEN_GROUPS LocalGroups OPTIONAL,
|
||
IN PTOKEN_SOURCE SourceContext,
|
||
OUT PVOID *ProfileBuffer,
|
||
OUT PULONG ProfileBufferLength,
|
||
OUT PLUID LogonId,
|
||
OUT PHANDLE Token,
|
||
OUT PQUOTA_LIMITS Quotas,
|
||
OUT PNTSTATUS SubStatus
|
||
);
|
||
|
||
|
||
// end_ntsrv
|
||
// begin_ntifs
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaLookupAuthenticationPackage (
|
||
IN HANDLE LsaHandle,
|
||
IN PLSA_STRING PackageName,
|
||
OUT PULONG AuthenticationPackage
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaFreeReturnBuffer (
|
||
IN PVOID Buffer
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaCallAuthenticationPackage (
|
||
IN HANDLE LsaHandle,
|
||
IN ULONG AuthenticationPackage,
|
||
IN PVOID ProtocolSubmitBuffer,
|
||
IN ULONG SubmitBufferLength,
|
||
OUT PVOID *ProtocolReturnBuffer,
|
||
OUT PULONG ReturnBufferLength,
|
||
OUT PNTSTATUS ProtocolStatus
|
||
);
|
||
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaDeregisterLogonProcess (
|
||
IN HANDLE LsaHandle
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaConnectUntrusted (
|
||
OUT PHANDLE LsaHandle
|
||
);
|
||
|
||
|
||
// end_ntifs
|
||
#endif // _NTLSA_IFS_
|
||
|
||
////////////////////////////////////////////////////////////////////////////
|
||
// //
|
||
// Local Security Policy Administration API datatypes and defines //
|
||
// //
|
||
////////////////////////////////////////////////////////////////////////////
|
||
|
||
//
|
||
// Access types for the Policy object
|
||
//
|
||
|
||
#define POLICY_VIEW_LOCAL_INFORMATION 0x00000001L
|
||
#define POLICY_VIEW_AUDIT_INFORMATION 0x00000002L
|
||
#define POLICY_GET_PRIVATE_INFORMATION 0x00000004L
|
||
#define POLICY_TRUST_ADMIN 0x00000008L
|
||
#define POLICY_CREATE_ACCOUNT 0x00000010L
|
||
#define POLICY_CREATE_SECRET 0x00000020L
|
||
#define POLICY_CREATE_PRIVILEGE 0x00000040L
|
||
#define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080L
|
||
#define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100L
|
||
#define POLICY_AUDIT_LOG_ADMIN 0x00000200L
|
||
#define POLICY_SERVER_ADMIN 0x00000400L
|
||
#define POLICY_LOOKUP_NAMES 0x00000800L
|
||
|
||
#define POLICY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
|
||
POLICY_VIEW_LOCAL_INFORMATION |\
|
||
POLICY_VIEW_AUDIT_INFORMATION |\
|
||
POLICY_GET_PRIVATE_INFORMATION |\
|
||
POLICY_TRUST_ADMIN |\
|
||
POLICY_CREATE_ACCOUNT |\
|
||
POLICY_CREATE_SECRET |\
|
||
POLICY_CREATE_PRIVILEGE |\
|
||
POLICY_SET_DEFAULT_QUOTA_LIMITS |\
|
||
POLICY_SET_AUDIT_REQUIREMENTS |\
|
||
POLICY_AUDIT_LOG_ADMIN |\
|
||
POLICY_SERVER_ADMIN |\
|
||
POLICY_LOOKUP_NAMES )
|
||
|
||
|
||
#define POLICY_READ (STANDARD_RIGHTS_READ |\
|
||
POLICY_VIEW_AUDIT_INFORMATION |\
|
||
POLICY_GET_PRIVATE_INFORMATION)
|
||
|
||
#define POLICY_WRITE (STANDARD_RIGHTS_WRITE |\
|
||
POLICY_TRUST_ADMIN |\
|
||
POLICY_CREATE_ACCOUNT |\
|
||
POLICY_CREATE_SECRET |\
|
||
POLICY_CREATE_PRIVILEGE |\
|
||
POLICY_SET_DEFAULT_QUOTA_LIMITS |\
|
||
POLICY_SET_AUDIT_REQUIREMENTS |\
|
||
POLICY_AUDIT_LOG_ADMIN |\
|
||
POLICY_SERVER_ADMIN)
|
||
|
||
#define POLICY_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
|
||
POLICY_VIEW_LOCAL_INFORMATION |\
|
||
POLICY_LOOKUP_NAMES )
|
||
|
||
|
||
//
|
||
// Policy object specific data types.
|
||
//
|
||
|
||
//
|
||
// The following data type is used to identify a domain
|
||
//
|
||
|
||
typedef struct _LSA_TRUST_INFORMATION {
|
||
|
||
LSA_UNICODE_STRING Name;
|
||
PSID Sid;
|
||
|
||
} LSA_TRUST_INFORMATION, *PLSA_TRUST_INFORMATION;
|
||
|
||
// where members have the following usage:
|
||
//
|
||
// Name - The name of the domain.
|
||
//
|
||
// Sid - A pointer to the Sid of the Domain
|
||
//
|
||
|
||
//
|
||
// The following data type is used in name and SID lookup services to
|
||
// describe the domains referenced in the lookup operation.
|
||
//
|
||
|
||
typedef struct _LSA_REFERENCED_DOMAIN_LIST {
|
||
|
||
ULONG Entries;
|
||
PLSA_TRUST_INFORMATION Domains;
|
||
|
||
} LSA_REFERENCED_DOMAIN_LIST, *PLSA_REFERENCED_DOMAIN_LIST;
|
||
|
||
// where members have the following usage:
|
||
//
|
||
// Entries - Is a count of the number of domains described in the
|
||
// Domains array.
|
||
//
|
||
// Domains - Is a pointer to an array of Entries LSA_TRUST_INFORMATION data
|
||
// structures.
|
||
//
|
||
|
||
|
||
//
|
||
// The following data type is used in name to SID lookup services to describe
|
||
// the domains referenced in the lookup operation.
|
||
//
|
||
|
||
typedef struct _LSA_TRANSLATED_SID {
|
||
|
||
SID_NAME_USE Use;
|
||
ULONG RelativeId;
|
||
LONG DomainIndex;
|
||
|
||
} LSA_TRANSLATED_SID, *PLSA_TRANSLATED_SID;
|
||
|
||
// where members have the following usage:
|
||
//
|
||
// Use - identifies the use of the SID. If this value is SidUnknown or
|
||
// SidInvalid, then the remainder of the record is not set and
|
||
// should be ignored.
|
||
//
|
||
// RelativeId - Contains the relative ID of the translated SID. The
|
||
// remainder of the SID (the prefix) is obtained using the
|
||
// DomainIndex field.
|
||
//
|
||
// DomainIndex - Is the index of an entry in a related
|
||
// LSA_REFERENCED_DOMAIN_LIST data structure describing the
|
||
// domain in which the account was found.
|
||
//
|
||
// If there is no corresponding reference domain for an entry, then
|
||
// this field will contain a negative value.
|
||
//
|
||
|
||
|
||
//
|
||
// The following data type is used in SID to name lookup services to
|
||
// describe the domains referenced in the lookup operation.
|
||
//
|
||
|
||
typedef struct _LSA_TRANSLATED_NAME {
|
||
|
||
SID_NAME_USE Use;
|
||
LSA_UNICODE_STRING Name;
|
||
LONG DomainIndex;
|
||
|
||
} LSA_TRANSLATED_NAME, *PLSA_TRANSLATED_NAME;
|
||
|
||
// where the members have the following usage:
|
||
//
|
||
// Use - Identifies the use of the name. If this value is SidUnknown
|
||
// or SidInvalid, then the remainder of the record is not set and
|
||
// should be ignored. If this value is SidWellKnownGroup then the
|
||
// Name field is invalid, but the DomainIndex field is not.
|
||
//
|
||
// Name - Contains the isolated name of the translated SID.
|
||
//
|
||
// DomainIndex - Is the index of an entry in a related
|
||
// LSA_REFERENCED_DOMAIN_LIST data structure describing the domain
|
||
// in which the account was found.
|
||
//
|
||
// If there is no corresponding reference domain for an entry, then
|
||
// this field will contain a negative value.
|
||
//
|
||
|
||
|
||
//
|
||
// The following data type is used to represent the role of the LSA
|
||
// server (primary or backup).
|
||
//
|
||
|
||
typedef enum _POLICY_LSA_SERVER_ROLE {
|
||
|
||
PolicyServerRoleBackup = 2,
|
||
PolicyServerRolePrimary
|
||
|
||
} POLICY_LSA_SERVER_ROLE, *PPOLICY_LSA_SERVER_ROLE;
|
||
|
||
|
||
//
|
||
// The following data type is used to represent the state of the LSA
|
||
// server (enabled or disabled). Some operations may only be performed on
|
||
// an enabled LSA server.
|
||
//
|
||
|
||
typedef enum _POLICY_SERVER_ENABLE_STATE {
|
||
|
||
PolicyServerEnabled = 2,
|
||
PolicyServerDisabled
|
||
|
||
} POLICY_SERVER_ENABLE_STATE, *PPOLICY_SERVER_ENABLE_STATE;
|
||
|
||
|
||
//
|
||
// The following data type is used to specify the auditing options for
|
||
// an Audit Event Type.
|
||
//
|
||
|
||
typedef ULONG POLICY_AUDIT_EVENT_OPTIONS, *PPOLICY_AUDIT_EVENT_OPTIONS;
|
||
|
||
// where the following flags can be set:
|
||
//
|
||
// POLICY_AUDIT_EVENT_UNCHANGED - Leave existing auditing options
|
||
// unchanged for events of this type. This flag is only used for
|
||
// set operations. If this flag is set, then all other flags
|
||
// are ignored.
|
||
//
|
||
// POLICY_AUDIT_EVENT_NONE - Cancel all auditing options for events
|
||
// of this type. If this flag is set, the success/failure flags
|
||
// are ignored.
|
||
//
|
||
// POLICY_AUDIT_EVENT_SUCCESS - When auditing is enabled, audit all
|
||
// successful occurrences of events of the given type.
|
||
//
|
||
// POLICY_AUDIT_EVENT_FAILURE - When auditing is enabled, audit all
|
||
// unsuccessful occurrences of events of the given type.
|
||
//
|
||
|
||
|
||
|
||
//
|
||
// The following data type is used to return information about privileges
|
||
// defined on a system.
|
||
//
|
||
|
||
typedef struct _POLICY_PRIVILEGE_DEFINITION {
|
||
|
||
LSA_UNICODE_STRING Name;
|
||
LUID LocalValue;
|
||
|
||
} POLICY_PRIVILEGE_DEFINITION, *PPOLICY_PRIVILEGE_DEFINITION;
|
||
|
||
// where the members have the following usage:
|
||
//
|
||
// Name - Is the architected name of the privilege. This is the
|
||
// primary key of the privilege and the only value that is
|
||
// transportable between systems.
|
||
//
|
||
// Luid - is a LUID value assigned locally for efficient representation
|
||
// of the privilege. Ths value is meaningful only on the system it
|
||
// was assigned on and is not transportable in any way.
|
||
//
|
||
|
||
|
||
//
|
||
// The following data type defines the classes of Policy Information
|
||
// that may be queried/set.
|
||
//
|
||
|
||
typedef enum _POLICY_INFORMATION_CLASS {
|
||
|
||
PolicyAuditLogInformation = 1,
|
||
PolicyAuditEventsInformation,
|
||
PolicyPrimaryDomainInformation,
|
||
PolicyPdAccountInformation,
|
||
PolicyAccountDomainInformation,
|
||
PolicyLsaServerRoleInformation,
|
||
PolicyReplicaSourceInformation,
|
||
PolicyDefaultQuotaInformation,
|
||
PolicyModificationInformation,
|
||
PolicyAuditFullSetInformation,
|
||
PolicyAuditFullQueryInformation
|
||
|
||
} POLICY_INFORMATION_CLASS, *PPOLICY_INFORMATION_CLASS;
|
||
|
||
|
||
//
|
||
// The following data type corresponds to the PolicyAuditLogInformation
|
||
// information class. It is used to represent information relating to
|
||
// the Audit Log.
|
||
//
|
||
// This structure may be used in both query and set operations. However,
|
||
// when used in set operations, some fields are ignored.
|
||
//
|
||
|
||
typedef struct _POLICY_AUDIT_LOG_INFO {
|
||
|
||
ULONG AuditLogPercentFull;
|
||
ULONG MaximumLogSize;
|
||
LARGE_INTEGER AuditRetentionPeriod;
|
||
BOOLEAN AuditLogFullShutdownInProgress;
|
||
LARGE_INTEGER TimeToShutdown;
|
||
ULONG NextAuditRecordId;
|
||
|
||
} POLICY_AUDIT_LOG_INFO, *PPOLICY_AUDIT_LOG_INFO;
|
||
|
||
// where the members have the following usage:
|
||
//
|
||
// AuditLogPercentFull - Indicates the percentage of the Audit Log
|
||
// currently being used.
|
||
//
|
||
// MaximumLogSize - Specifies the maximum size of the Audit Log in
|
||
// kilobytes.
|
||
//
|
||
// AuditRetentionPeriod - Indicates the length of time that Audit
|
||
// Records are to be retained. Audit Records are discardable
|
||
// if their timestamp predates the current time minus the
|
||
// retention period.
|
||
//
|
||
// AuditLogFullShutdownInProgress - Indicates whether or not a system
|
||
// shutdown is being initiated due to the security Audit Log becoming
|
||
// full. This condition will only occur if the system is configured
|
||
// to shutdown when the log becomes full.
|
||
//
|
||
// TRUE indicates that a shutdown is in progress
|
||
// FALSE indicates that a shutdown is not in progress.
|
||
//
|
||
// Once a shutdown has been initiated, this flag will be set to
|
||
// TRUE. If an administrator is able to currect the situation
|
||
// before the shutdown becomes irreversible, then this flag will
|
||
// be reset to false.
|
||
//
|
||
// This field is ignored for set operations.
|
||
//
|
||
// TimeToShutdown - If the AuditLogFullShutdownInProgress flag is set,
|
||
// then this field contains the time left before the shutdown
|
||
// becomes irreversible.
|
||
//
|
||
// This field is ignored for set operations.
|
||
//
|
||
|
||
|
||
//
|
||
// The following data type corresponds to the PolicyAuditEventsInformation
|
||
// information class. It is used to represent information relating to
|
||
// the audit requirements.
|
||
//
|
||
|
||
typedef struct _POLICY_AUDIT_EVENTS_INFO {
|
||
|
||
BOOLEAN AuditingMode;
|
||
PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
|
||
ULONG MaximumAuditEventCount;
|
||
|
||
} POLICY_AUDIT_EVENTS_INFO, *PPOLICY_AUDIT_EVENTS_INFO;
|
||
|
||
// where the members have the following usage:
|
||
//
|
||
// AuditingMode - A Boolean variable specifying the Auditing Mode value.
|
||
// This value is interpreted as follows:
|
||
//
|
||
// TRUE - Auditing is to be enabled (set operations) or is enabled
|
||
// (query operations). Audit Records will be generated according
|
||
// to the Event Auditing Options in effect (see the
|
||
// EventAuditingOptions field.
|
||
//
|
||
// FALSE - Auditing is to be disabled (set operations) or is
|
||
// disabled (query operations). No Audit Records will be
|
||
// generated. Note that for set operations the Event Auditing
|
||
// Options in effect will still be updated as specified by the
|
||
// EventAuditingOptions field whether Auditing is enabled or
|
||
// disabled.
|
||
//
|
||
// EventAuditingOptions - Pointer to an array of Auditing Options
|
||
// indexed by Audit Event Type.
|
||
//
|
||
// MaximumAuditEventCount - Specifiesa count of the number of Audit
|
||
// Event Types specified by the EventAuditingOptions parameter. If
|
||
// this count is less than the number of Audit Event Types supported
|
||
// by the system, the Auditing Options for Event Types with IDs
|
||
// higher than (MaximumAuditEventCount + 1) are left unchanged.
|
||
//
|
||
|
||
|
||
//
|
||
// The following structure corresponds to the PolicyAccountDomainInformation
|
||
// information class.
|
||
//
|
||
|
||
typedef struct _POLICY_ACCOUNT_DOMAIN_INFO {
|
||
|
||
LSA_UNICODE_STRING DomainName;
|
||
PSID DomainSid;
|
||
|
||
} POLICY_ACCOUNT_DOMAIN_INFO, *PPOLICY_ACCOUNT_DOMAIN_INFO;
|
||
|
||
// where the members have the following usage:
|
||
//
|
||
// DomainName - Is the name of the domain
|
||
//
|
||
// DomainSid - Is the Sid of the domain
|
||
//
|
||
|
||
|
||
//
|
||
// The following structure corresponds to the PolicyPrimaryDomainInformation
|
||
// information class.
|
||
//
|
||
|
||
typedef struct _POLICY_PRIMARY_DOMAIN_INFO {
|
||
|
||
LSA_UNICODE_STRING Name;
|
||
PSID Sid;
|
||
|
||
} POLICY_PRIMARY_DOMAIN_INFO, *PPOLICY_PRIMARY_DOMAIN_INFO;
|
||
|
||
// where the members have the following usage:
|
||
//
|
||
// Name - Is the name of the domain
|
||
//
|
||
// Sid - Is the Sid of the domain
|
||
//
|
||
|
||
|
||
//
|
||
// The following structure corresponds to the PolicyPdAccountInformation
|
||
// information class. This structure may be used in Query operations
|
||
// only.
|
||
//
|
||
|
||
typedef struct _POLICY_PD_ACCOUNT_INFO {
|
||
|
||
LSA_UNICODE_STRING Name;
|
||
|
||
} POLICY_PD_ACCOUNT_INFO, *PPOLICY_PD_ACCOUNT_INFO;
|
||
|
||
// where the members have the following usage:
|
||
//
|
||
// Name - Is the name of an account in the domain that should be used
|
||
// for authentication and name/ID lookup requests.
|
||
//
|
||
|
||
|
||
//
|
||
// The following structure corresponds to the PolicyLsaServerRoleInformation
|
||
// information class.
|
||
//
|
||
|
||
typedef struct _POLICY_LSA_SERVER_ROLE_INFO {
|
||
|
||
POLICY_LSA_SERVER_ROLE LsaServerRole;
|
||
|
||
} POLICY_LSA_SERVER_ROLE_INFO, *PPOLICY_LSA_SERVER_ROLE_INFO;
|
||
|
||
// where the fields have the following usage:
|
||
//
|
||
// TBS
|
||
//
|
||
|
||
|
||
//
|
||
// The following structure corresponds to the PolicyReplicaSourceInformation
|
||
// information class.
|
||
//
|
||
|
||
typedef struct _POLICY_REPLICA_SOURCE_INFO {
|
||
|
||
LSA_UNICODE_STRING ReplicaSource;
|
||
LSA_UNICODE_STRING ReplicaAccountName;
|
||
|
||
} POLICY_REPLICA_SOURCE_INFO, *PPOLICY_REPLICA_SOURCE_INFO;
|
||
|
||
|
||
//
|
||
// The following structure corresponds to the PolicyDefaultQuotaInformation
|
||
// information class.
|
||
//
|
||
|
||
typedef struct _POLICY_DEFAULT_QUOTA_INFO {
|
||
|
||
QUOTA_LIMITS QuotaLimits;
|
||
|
||
} POLICY_DEFAULT_QUOTA_INFO, *PPOLICY_DEFAULT_QUOTA_INFO;
|
||
|
||
|
||
//
|
||
// The following structure corresponds to the PolicyModificationInformation
|
||
// information class.
|
||
//
|
||
|
||
typedef struct _POLICY_MODIFICATION_INFO {
|
||
|
||
LARGE_INTEGER ModifiedId;
|
||
LARGE_INTEGER DatabaseCreationTime;
|
||
|
||
} POLICY_MODIFICATION_INFO, *PPOLICY_MODIFICATION_INFO;
|
||
|
||
// where the members have the following usage:
|
||
//
|
||
// ModifiedId - Is a 64-bit unsigned integer that is incremented each
|
||
// time anything in the LSA database is modified. This value is
|
||
// only modified on Primary Domain Controllers.
|
||
//
|
||
// DatabaseCreationTime - Is the date/time that the LSA Database was
|
||
// created. On Backup Domain Controllers, this value is replicated
|
||
// from the Primary Domain Controller.
|
||
//
|
||
|
||
//
|
||
// The following structure type corresponds to the PolicyAuditFullSetInformation
|
||
// Information Class.
|
||
//
|
||
|
||
typedef struct _POLICY_AUDIT_FULL_SET_INFO {
|
||
|
||
BOOLEAN ShutDownOnFull;
|
||
|
||
} POLICY_AUDIT_FULL_SET_INFO, *PPOLICY_AUDIT_FULL_SET_INFO;
|
||
|
||
//
|
||
// The following structure type corresponds to the PolicyAuditFullQueryInformation
|
||
// Information Class.
|
||
//
|
||
|
||
typedef struct _POLICY_AUDIT_FULL_QUERY_INFO {
|
||
|
||
BOOLEAN ShutDownOnFull;
|
||
BOOLEAN LogIsFull;
|
||
|
||
} POLICY_AUDIT_FULL_QUERY_INFO, *PPOLICY_AUDIT_FULL_QUERY_INFO;
|
||
|
||
|
||
//
|
||
// LSA RPC Context Handle (Opaque form). Note that a Context Handle is
|
||
// always a pointer type unlike regular handles.
|
||
//
|
||
|
||
typedef PVOID LSA_HANDLE, *PLSA_HANDLE;
|
||
|
||
|
||
//
|
||
// Trusted Domain Object specific data types
|
||
//
|
||
|
||
//
|
||
// This data type defines the following information classes that may be
|
||
// queried or set.
|
||
//
|
||
|
||
typedef enum _TRUSTED_INFORMATION_CLASS {
|
||
|
||
TrustedDomainNameInformation = 1,
|
||
TrustedControllersInformation,
|
||
TrustedPosixOffsetInformation,
|
||
TrustedPasswordInformation
|
||
|
||
} TRUSTED_INFORMATION_CLASS, *PTRUSTED_INFORMATION_CLASS;
|
||
|
||
//
|
||
// The following data type corresponds to the TrustedDomainNameInformation
|
||
// information class.
|
||
//
|
||
|
||
typedef struct _TRUSTED_DOMAIN_NAME_INFO {
|
||
|
||
LSA_UNICODE_STRING Name;
|
||
|
||
} TRUSTED_DOMAIN_NAME_INFO, *PTRUSTED_DOMAIN_NAME_INFO;
|
||
|
||
// where members have the following meaning:
|
||
//
|
||
// Name - The name of the Trusted Domain.
|
||
//
|
||
|
||
//
|
||
// The following data type corresponds to the TrustedControllersInformation
|
||
// information class.
|
||
//
|
||
|
||
typedef struct _TRUSTED_CONTROLLERS_INFO {
|
||
|
||
ULONG Entries;
|
||
PLSA_UNICODE_STRING Names;
|
||
|
||
} TRUSTED_CONTROLLERS_INFO, *PTRUSTED_CONTROLLERS_INFO;
|
||
|
||
// where members have the following meaning:
|
||
//
|
||
// Entries - Indicate how mamy entries there are in the Names array.
|
||
//
|
||
// Names - Pointer to an array of LSA_UNICODE_STRING structures containing the
|
||
// names of domain controllers of the domain. This information may not
|
||
// be accurate and should be used only as a hint. The order of this
|
||
// list is considered significant and will be maintained.
|
||
//
|
||
// By convention, the first name in this list is assumed to be the
|
||
// Primary Domain Controller of the domain. If the Primary Domain
|
||
// Controller is not known, the first name should be set to the NULL
|
||
// string.
|
||
//
|
||
|
||
|
||
//
|
||
// The following data type corresponds to the TrustedPosixOffsetInformation
|
||
// information class.
|
||
//
|
||
|
||
typedef struct _TRUSTED_POSIX_OFFSET_INFO {
|
||
|
||
ULONG Offset;
|
||
|
||
} TRUSTED_POSIX_OFFSET_INFO, *PTRUSTED_POSIX_OFFSET_INFO;
|
||
|
||
// where members have the following meaning:
|
||
//
|
||
// Offset - Is an offset to use for the generation of Posix user and group
|
||
// IDs from SIDs. The Posix ID corresponding to any particular SID is
|
||
// generated by adding the RID of that SID to the Offset of the SID's
|
||
// corresponding TrustedDomain object.
|
||
//
|
||
|
||
//
|
||
// The following data type corresponds to the TrustedPasswordInformation
|
||
// information class.
|
||
//
|
||
|
||
typedef struct _TRUSTED_PASSWORD_INFO {
|
||
LSA_UNICODE_STRING Password;
|
||
LSA_UNICODE_STRING OldPassword;
|
||
} TRUSTED_PASSWORD_INFO, *PTRUSTED_PASSWORD_INFO;
|
||
|
||
|
||
|
||
|
||
//
|
||
// LSA Enumeration Context
|
||
//
|
||
|
||
typedef ULONG LSA_ENUMERATION_HANDLE, *PLSA_ENUMERATION_HANDLE;
|
||
|
||
//
|
||
// LSA Enumeration Information
|
||
//
|
||
|
||
typedef struct _LSA_ENUMERATION_INFORMATION {
|
||
|
||
PSID Sid;
|
||
|
||
} LSA_ENUMERATION_INFORMATION, *PLSA_ENUMERATION_INFORMATION;
|
||
|
||
|
||
////////////////////////////////////////////////////////////////////////////
|
||
// //
|
||
// Local Security Policy - Miscellaneous API function prototypes //
|
||
// //
|
||
////////////////////////////////////////////////////////////////////////////
|
||
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaFreeMemory(
|
||
IN PVOID Buffer
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaClose(
|
||
IN LSA_HANDLE ObjectHandle
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaOpenPolicy(
|
||
IN PLSA_UNICODE_STRING SystemName OPTIONAL,
|
||
IN PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
|
||
IN ACCESS_MASK DesiredAccess,
|
||
IN OUT PLSA_HANDLE PolicyHandle
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaQueryInformationPolicy(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN POLICY_INFORMATION_CLASS InformationClass,
|
||
OUT PVOID *Buffer
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaSetInformationPolicy(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN POLICY_INFORMATION_CLASS InformationClass,
|
||
IN PVOID Buffer
|
||
);
|
||
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaEnumerateTrustedDomains(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
|
||
OUT PVOID *Buffer,
|
||
IN ULONG PreferedMaximumLength,
|
||
OUT PULONG CountReturned
|
||
);
|
||
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaLookupNames(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN ULONG Count,
|
||
IN PLSA_UNICODE_STRING Names,
|
||
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
|
||
OUT PLSA_TRANSLATED_SID *Sids
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaLookupSids(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN ULONG Count,
|
||
IN PSID *Sids,
|
||
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
|
||
OUT PLSA_TRANSLATED_NAME *Names
|
||
);
|
||
|
||
|
||
|
||
#define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight")
|
||
#define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
|
||
#define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
|
||
#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
|
||
|
||
//
|
||
// This new API returns all the accounts with a certain privilege
|
||
//
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaEnumerateAccountsWithUserRight(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN OPTIONAL PLSA_UNICODE_STRING UserRights,
|
||
OUT PVOID *EnumerationBuffer,
|
||
OUT PULONG CountReturned
|
||
);
|
||
|
||
//
|
||
// These new APIs differ by taking a SID instead of requiring the caller
|
||
// to open the account first and passing in an account handle
|
||
//
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaEnumerateAccountRights(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN PSID AccountSid,
|
||
OUT PLSA_UNICODE_STRING *UserRights,
|
||
OUT PULONG CountOfRights
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaAddAccountRights(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN PSID AccountSid,
|
||
IN PLSA_UNICODE_STRING UserRights,
|
||
IN ULONG CountOfRights
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaRemoveAccountRights(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN PSID AccountSid,
|
||
IN BOOLEAN AllRights,
|
||
IN PLSA_UNICODE_STRING UserRights,
|
||
IN ULONG CountOfRights
|
||
);
|
||
|
||
|
||
///////////////////////////////////////////////////////////////////////////////
|
||
// //
|
||
// Local Security Policy - Trusted Domain Object API function prototypes //
|
||
// //
|
||
///////////////////////////////////////////////////////////////////////////////
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaQueryTrustedDomainInfo(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN PSID TrustedDomainSid,
|
||
IN TRUSTED_INFORMATION_CLASS InformationClass,
|
||
OUT PVOID *Buffer
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaSetTrustedDomainInformation(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN PSID TrustedDomainSid,
|
||
IN TRUSTED_INFORMATION_CLASS InformationClass,
|
||
IN PVOID Buffer
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaDeleteTrustedDomain(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN PSID TrustedDomainSid
|
||
);
|
||
|
||
//
|
||
// This API sets the workstation password (equivalent of setting/getting
|
||
// the SSI_SECRET_NAME secret)
|
||
//
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaStorePrivateData(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN PLSA_UNICODE_STRING KeyName,
|
||
IN PLSA_UNICODE_STRING PrivateData
|
||
);
|
||
|
||
NTSTATUS
|
||
NTAPI
|
||
LsaRetrievePrivateData(
|
||
IN LSA_HANDLE PolicyHandle,
|
||
IN PLSA_UNICODE_STRING KeyName,
|
||
OUT PLSA_UNICODE_STRING * PrivateData
|
||
);
|
||
|
||
|
||
ULONG
|
||
NTAPI
|
||
LsaNtStatusToWinError(
|
||
NTSTATUS Status
|
||
);
|
||
|
||
//
|
||
// Define a symbol so we can tell if ntifs.h has been included.
|
||
//
|
||
|
||
// begin_ntifs
|
||
#ifndef _NTLSA_IFS_
|
||
#define _NTLSA_IFS_
|
||
#endif
|
||
// end_ntifs
|
||
|
||
#ifndef _NTDEF_
|
||
typedef LSA_UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING;
|
||
#endif
|
||
|
||
typedef NTSTATUS (*PSAM_PASSWORD_NOTIFICATION_ROUTINE) (
|
||
PUNICODE_STRING UserName,
|
||
ULONG RelativeId,
|
||
PUNICODE_STRING NewPassword
|
||
);
|
||
|
||
#define SAM_PASSWORD_CHANGE_NOTIFY_ROUTINE "PasswordChangeNotify"
|
||
|
||
typedef BOOLEAN (*PSAM_INIT_NOTIFICATION_ROUTINE) (
|
||
);
|
||
|
||
#define SAM_INIT_NOTIFICATION_ROUTINE "InitializeChangeNotify"
|
||
|
||
|
||
#define SAM_PASSWORD_FILTER_ROUTINE "PasswordFilter"
|
||
|
||
typedef BOOLEAN (*PSAM_PASSWORD_FILTER_ROUTINE) (
|
||
IN PUNICODE_STRING AccountName,
|
||
IN PUNICODE_STRING FullName,
|
||
IN PUNICODE_STRING Password,
|
||
IN BOOLEAN SetOperation
|
||
);
|
||
|
||
|
||
#ifdef __cplusplus
|
||
}
|
||
#endif
|
||
|
||
#endif /* _NTSECAPI_ */
|
||
|