/*++ BUILD Version: 0006 Increment this if a change has global effects Copyright 1990 - 1998 Microsoft Corporation Module Name: ntsecapi.h Abstract: This module defines the Local Security Authority APIs. Revision History: --*/ #ifndef _NTSECAPI_ #define _NTSECAPI_ #ifdef __cplusplus extern "C" { #endif #ifndef _NTDEF_ typedef LONG NTSTATUS, *PNTSTATUS; #endif #ifndef _NTLSA_IFS_ // begin_ntifs // // Security operation mode of the system is held in a control // longword. // typedef ULONG LSA_OPERATIONAL_MODE, *PLSA_OPERATIONAL_MODE; // end_ntifs #endif // _NTLSA_IFS_ // // The flags in the security operational mode are defined // as: // // PasswordProtected - Some level of authentication (such as // a password) must be provided by users before they are // allowed to use the system. Once set, this value will // not be cleared without re-booting the system. // // IndividualAccounts - Each user must identify an account to // logon to. This flag is only meaningful if the // PasswordProtected flag is also set. If this flag is // not set and the PasswordProtected flag is set, then all // users may logon to the same account. Once set, this value // will not be cleared without re-booting the system. // // MandatoryAccess - Indicates the system is running in a mandatory // access control mode (e.g., B-level as defined by the U.S.A's // Department of Defense's "Orange Book"). This is not utilized // in the current release of NT. This flag is only meaningful // if both the PasswordProtected and IndividualAccounts flags are // set. Once set, this value will not be cleared without // re-booting the system. // // LogFull - Indicates the system has been brought up in a mode in // which if must perform security auditing, but its audit log // is full. This may (should) restrict the operations that // can occur until the audit log is made not-full again. THIS // VALUE MAY BE CLEARED WHILE THE SYSTEM IS RUNNING (I.E., WITHOUT // REBOOTING). // // If the PasswordProtected flag is not set, then the system is running // without security, and user interface should be adjusted appropriately. // #define LSA_MODE_PASSWORD_PROTECTED (0x00000001L) #define LSA_MODE_INDIVIDUAL_ACCOUNTS (0x00000002L) #define LSA_MODE_MANDATORY_ACCESS (0x00000004L) #define LSA_MODE_LOG_FULL (0x00000008L) #ifndef _NTLSA_IFS_ // begin_ntifs // // Used by a logon process to indicate what type of logon is being // requested. // typedef enum _SECURITY_LOGON_TYPE { Interactive = 2, // Interactively logged on (locally or remotely) Network, // Accessing system via network Batch, // Started via a batch queue Service, // Service started by service controller Proxy, // Proxy logon Unlock // Unlock workstation } SECURITY_LOGON_TYPE, *PSECURITY_LOGON_TYPE; // end_ntifs #endif // _NTLSA_IFS_ // // Audit Event Categories // // The following are the built-in types or Categories of audit event. // WARNING! This structure is subject to expansion. The user should not // compute the number of elements of this type directly, but instead // should obtain the count of elements by calling LsaQueryInformationPolicy() // for the PolicyAuditEventsInformation class and extracting the count from // the MaximumAuditEventCount field of the returned structure. // typedef enum _POLICY_AUDIT_EVENT_TYPE { AuditCategorySystem, AuditCategoryLogon, AuditCategoryObjectAccess, AuditCategoryPrivilegeUse, AuditCategoryDetailedTracking, AuditCategoryPolicyChange, AuditCategoryAccountManagement, AuditCategoryDirectoryServiceAccess, AuditCategoryAccountLogon } POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE; // // The following defines describe the auditing options for each // event type // // Leave options specified for this event unchanged #define POLICY_AUDIT_EVENT_UNCHANGED (0x00000000L) // Audit successful occurrences of events of this type #define POLICY_AUDIT_EVENT_SUCCESS (0x00000001L) // Audit failed attempts to cause an event of this type to occur #define POLICY_AUDIT_EVENT_FAILURE (0x00000002L) #define POLICY_AUDIT_EVENT_NONE (0x00000004L) // Mask of valid event auditing options #define POLICY_AUDIT_EVENT_MASK \ (POLICY_AUDIT_EVENT_SUCCESS | \ POLICY_AUDIT_EVENT_FAILURE | \ POLICY_AUDIT_EVENT_UNCHANGED | \ POLICY_AUDIT_EVENT_NONE) #ifdef _NTDEF_ // begin_ntifs typedef UNICODE_STRING LSA_UNICODE_STRING, *PLSA_UNICODE_STRING; typedef STRING LSA_STRING, *PLSA_STRING; typedef OBJECT_ATTRIBUTES LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES; // end_ntifs #else // _NTDEF_ #ifndef IN #define IN #endif #ifndef OUT #define OUT #endif #ifndef OPTIONAL #define OPTIONAL #endif typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING; typedef struct _LSA_STRING { USHORT Length; USHORT MaximumLength; PCHAR Buffer; } LSA_STRING, *PLSA_STRING; typedef struct _LSA_OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PLSA_UNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE } LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES; #endif // _NTDEF_ // // Macro for determining whether an API succeeded. // #define LSA_SUCCESS(Error) ((LONG)(Error) >= 0) #ifndef _NTLSA_IFS_ // begin_ntifs NTSTATUS NTAPI LsaRegisterLogonProcess ( IN PLSA_STRING LogonProcessName, OUT PHANDLE LsaHandle, OUT PLSA_OPERATIONAL_MODE SecurityMode ); // end_ntifs // begin_ntsrv NTSTATUS NTAPI LsaLogonUser ( IN HANDLE LsaHandle, IN PLSA_STRING OriginName, IN SECURITY_LOGON_TYPE LogonType, IN ULONG AuthenticationPackage, IN PVOID AuthenticationInformation, IN ULONG AuthenticationInformationLength, IN PTOKEN_GROUPS LocalGroups OPTIONAL, IN PTOKEN_SOURCE SourceContext, OUT PVOID *ProfileBuffer, OUT PULONG ProfileBufferLength, OUT PLUID LogonId, OUT PHANDLE Token, OUT PQUOTA_LIMITS Quotas, OUT PNTSTATUS SubStatus ); // end_ntsrv // begin_ntifs NTSTATUS NTAPI LsaLookupAuthenticationPackage ( IN HANDLE LsaHandle, IN PLSA_STRING PackageName, OUT PULONG AuthenticationPackage ); NTSTATUS NTAPI LsaFreeReturnBuffer ( IN PVOID Buffer ); NTSTATUS NTAPI LsaCallAuthenticationPackage ( IN HANDLE LsaHandle, IN ULONG AuthenticationPackage, IN PVOID ProtocolSubmitBuffer, IN ULONG SubmitBufferLength, OUT PVOID *ProtocolReturnBuffer, OUT PULONG ReturnBufferLength, OUT PNTSTATUS ProtocolStatus ); NTSTATUS NTAPI LsaDeregisterLogonProcess ( IN HANDLE LsaHandle ); NTSTATUS NTAPI LsaConnectUntrusted ( OUT PHANDLE LsaHandle ); // end_ntifs #endif // _NTLSA_IFS_ //////////////////////////////////////////////////////////////////////////// // // // Local Security Policy Administration API datatypes and defines // // // //////////////////////////////////////////////////////////////////////////// // // Possible locations for the Ds policy // #define POLICY_MACHINE_POLICY_LOCAL 0x0 #define POLICY_MACHINE_POLICY_DEFAULTED 0x1 #define POLICY_MACHINE_POLICY_EXPLICIT 0x2 #define POLICY_MACHINE_POLICY_UNKNOWN 0xFFFFFFFF // Internal flag only // // Access types for the Policy object // #define POLICY_VIEW_LOCAL_INFORMATION 0x00000001L #define POLICY_VIEW_AUDIT_INFORMATION 0x00000002L #define POLICY_GET_PRIVATE_INFORMATION 0x00000004L #define POLICY_TRUST_ADMIN 0x00000008L #define POLICY_CREATE_ACCOUNT 0x00000010L #define POLICY_CREATE_SECRET 0x00000020L #define POLICY_CREATE_PRIVILEGE 0x00000040L #define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080L #define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100L #define POLICY_AUDIT_LOG_ADMIN 0x00000200L #define POLICY_SERVER_ADMIN 0x00000400L #define POLICY_LOOKUP_NAMES 0x00000800L #define POLICY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\ POLICY_VIEW_LOCAL_INFORMATION |\ POLICY_VIEW_AUDIT_INFORMATION |\ POLICY_GET_PRIVATE_INFORMATION |\ POLICY_TRUST_ADMIN |\ POLICY_CREATE_ACCOUNT |\ POLICY_CREATE_SECRET |\ POLICY_CREATE_PRIVILEGE |\ POLICY_SET_DEFAULT_QUOTA_LIMITS |\ POLICY_SET_AUDIT_REQUIREMENTS |\ POLICY_AUDIT_LOG_ADMIN |\ POLICY_SERVER_ADMIN |\ POLICY_LOOKUP_NAMES ) #define POLICY_READ (STANDARD_RIGHTS_READ |\ POLICY_VIEW_AUDIT_INFORMATION |\ POLICY_GET_PRIVATE_INFORMATION) #define POLICY_WRITE (STANDARD_RIGHTS_WRITE |\ POLICY_TRUST_ADMIN |\ POLICY_CREATE_ACCOUNT |\ POLICY_CREATE_SECRET |\ POLICY_CREATE_PRIVILEGE |\ POLICY_SET_DEFAULT_QUOTA_LIMITS |\ POLICY_SET_AUDIT_REQUIREMENTS |\ POLICY_AUDIT_LOG_ADMIN |\ POLICY_SERVER_ADMIN) #define POLICY_EXECUTE (STANDARD_RIGHTS_EXECUTE |\ POLICY_VIEW_LOCAL_INFORMATION |\ POLICY_LOOKUP_NAMES ) // // Policy object specific data types. // // // The following data type is used to identify a domain // typedef struct _LSA_TRUST_INFORMATION { LSA_UNICODE_STRING Name; PSID Sid; } LSA_TRUST_INFORMATION, *PLSA_TRUST_INFORMATION; // where members have the following usage: // // Name - The name of the domain. // // Sid - A pointer to the Sid of the Domain // // // The following data type is used in name and SID lookup services to // describe the domains referenced in the lookup operation. // typedef struct _LSA_REFERENCED_DOMAIN_LIST { ULONG Entries; PLSA_TRUST_INFORMATION Domains; } LSA_REFERENCED_DOMAIN_LIST, *PLSA_REFERENCED_DOMAIN_LIST; // where members have the following usage: // // Entries - Is a count of the number of domains described in the // Domains array. // // Domains - Is a pointer to an array of Entries LSA_TRUST_INFORMATION data // structures. // // // The following data type is used in name to SID lookup services to describe // the domains referenced in the lookup operation. // typedef struct _LSA_TRANSLATED_SID { SID_NAME_USE Use; ULONG RelativeId; LONG DomainIndex; } LSA_TRANSLATED_SID, *PLSA_TRANSLATED_SID; // where members have the following usage: // // Use - identifies the use of the SID. If this value is SidUnknown or // SidInvalid, then the remainder of the record is not set and // should be ignored. // // RelativeId - Contains the relative ID of the translated SID. The // remainder of the SID (the prefix) is obtained using the // DomainIndex field. // // DomainIndex - Is the index of an entry in a related // LSA_REFERENCED_DOMAIN_LIST data structure describing the // domain in which the account was found. // // If there is no corresponding reference domain for an entry, then // this field will contain a negative value. // // // The following data type is used in SID to name lookup services to // describe the domains referenced in the lookup operation. // typedef struct _LSA_TRANSLATED_NAME { SID_NAME_USE Use; LSA_UNICODE_STRING Name; LONG DomainIndex; } LSA_TRANSLATED_NAME, *PLSA_TRANSLATED_NAME; // where the members have the following usage: // // Use - Identifies the use of the name. If this value is SidUnknown // or SidInvalid, then the remainder of the record is not set and // should be ignored. If this value is SidWellKnownGroup then the // Name field is invalid, but the DomainIndex field is not. // // Name - Contains the isolated name of the translated SID. // // DomainIndex - Is the index of an entry in a related // LSA_REFERENCED_DOMAIN_LIST data structure describing the domain // in which the account was found. // // If there is no corresponding reference domain for an entry, then // this field will contain a negative value. // // // The following data type is used to represent the role of the LSA // server (primary or backup). // typedef enum _POLICY_LSA_SERVER_ROLE { PolicyServerRoleBackup = 2, PolicyServerRolePrimary } POLICY_LSA_SERVER_ROLE, *PPOLICY_LSA_SERVER_ROLE; // // The following data type is used to represent the state of the LSA // server (enabled or disabled). Some operations may only be performed on // an enabled LSA server. // typedef enum _POLICY_SERVER_ENABLE_STATE { PolicyServerEnabled = 2, PolicyServerDisabled } POLICY_SERVER_ENABLE_STATE, *PPOLICY_SERVER_ENABLE_STATE; // // The following data type is used to specify the auditing options for // an Audit Event Type. // typedef ULONG POLICY_AUDIT_EVENT_OPTIONS, *PPOLICY_AUDIT_EVENT_OPTIONS; // where the following flags can be set: // // POLICY_AUDIT_EVENT_UNCHANGED - Leave existing auditing options // unchanged for events of this type. This flag is only used for // set operations. If this flag is set, then all other flags // are ignored. // // POLICY_AUDIT_EVENT_NONE - Cancel all auditing options for events // of this type. If this flag is set, the success/failure flags // are ignored. // // POLICY_AUDIT_EVENT_SUCCESS - When auditing is enabled, audit all // successful occurrences of events of the given type. // // POLICY_AUDIT_EVENT_FAILURE - When auditing is enabled, audit all // unsuccessful occurrences of events of the given type. // // // The following data type is used to return information about privileges // defined on a system. // typedef struct _POLICY_PRIVILEGE_DEFINITION { LSA_UNICODE_STRING Name; LUID LocalValue; } POLICY_PRIVILEGE_DEFINITION, *PPOLICY_PRIVILEGE_DEFINITION; // where the members have the following usage: // // Name - Is the architected name of the privilege. This is the // primary key of the privilege and the only value that is // transportable between systems. // // Luid - is a LUID value assigned locally for efficient representation // of the privilege. Ths value is meaningful only on the system it // was assigned on and is not transportable in any way. // // // The following data type defines the classes of Policy Information // that may be queried/set. // typedef enum _POLICY_INFORMATION_CLASS { PolicyAuditLogInformation = 1, PolicyAuditEventsInformation, PolicyPrimaryDomainInformation, PolicyPdAccountInformation, PolicyAccountDomainInformation, PolicyLsaServerRoleInformation, PolicyReplicaSourceInformation, PolicyDefaultQuotaInformation, PolicyModificationInformation, PolicyAuditFullSetInformation, PolicyAuditFullQueryInformation, PolicyDnsDomainInformation, PolicyEfsInformation } POLICY_INFORMATION_CLASS, *PPOLICY_INFORMATION_CLASS; // // The following data type corresponds to the PolicyAuditLogInformation // information class. It is used to represent information relating to // the Audit Log. // // This structure may be used in both query and set operations. However, // when used in set operations, some fields are ignored. // typedef struct _POLICY_AUDIT_LOG_INFO { ULONG AuditLogPercentFull; ULONG MaximumLogSize; LARGE_INTEGER AuditRetentionPeriod; BOOLEAN AuditLogFullShutdownInProgress; LARGE_INTEGER TimeToShutdown; ULONG NextAuditRecordId; } POLICY_AUDIT_LOG_INFO, *PPOLICY_AUDIT_LOG_INFO; // where the members have the following usage: // // AuditLogPercentFull - Indicates the percentage of the Audit Log // currently being used. // // MaximumLogSize - Specifies the maximum size of the Audit Log in // kilobytes. // // AuditRetentionPeriod - Indicates the length of time that Audit // Records are to be retained. Audit Records are discardable // if their timestamp predates the current time minus the // retention period. // // AuditLogFullShutdownInProgress - Indicates whether or not a system // shutdown is being initiated due to the security Audit Log becoming // full. This condition will only occur if the system is configured // to shutdown when the log becomes full. // // TRUE indicates that a shutdown is in progress // FALSE indicates that a shutdown is not in progress. // // Once a shutdown has been initiated, this flag will be set to // TRUE. If an administrator is able to currect the situation // before the shutdown becomes irreversible, then this flag will // be reset to false. // // This field is ignored for set operations. // // TimeToShutdown - If the AuditLogFullShutdownInProgress flag is set, // then this field contains the time left before the shutdown // becomes irreversible. // // This field is ignored for set operations. // // // The following data type corresponds to the PolicyAuditEventsInformation // information class. It is used to represent information relating to // the audit requirements. // typedef struct _POLICY_AUDIT_EVENTS_INFO { BOOLEAN AuditingMode; PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions; ULONG MaximumAuditEventCount; } POLICY_AUDIT_EVENTS_INFO, *PPOLICY_AUDIT_EVENTS_INFO; // where the members have the following usage: // // AuditingMode - A Boolean variable specifying the Auditing Mode value. // This value is interpreted as follows: // // TRUE - Auditing is to be enabled (set operations) or is enabled // (query operations). Audit Records will be generated according // to the Event Auditing Options in effect (see the // EventAuditingOptions field. // // FALSE - Auditing is to be disabled (set operations) or is // disabled (query operations). No Audit Records will be // generated. Note that for set operations the Event Auditing // Options in effect will still be updated as specified by the // EventAuditingOptions field whether Auditing is enabled or // disabled. // // EventAuditingOptions - Pointer to an array of Auditing Options // indexed by Audit Event Type. // // MaximumAuditEventCount - Specifiesa count of the number of Audit // Event Types specified by the EventAuditingOptions parameter. If // this count is less than the number of Audit Event Types supported // by the system, the Auditing Options for Event Types with IDs // higher than (MaximumAuditEventCount + 1) are left unchanged. // // // The following structure corresponds to the PolicyAccountDomainInformation // information class. // typedef struct _POLICY_ACCOUNT_DOMAIN_INFO { LSA_UNICODE_STRING DomainName; PSID DomainSid; } POLICY_ACCOUNT_DOMAIN_INFO, *PPOLICY_ACCOUNT_DOMAIN_INFO; // where the members have the following usage: // // DomainName - Is the name of the domain // // DomainSid - Is the Sid of the domain // // // The following structure corresponds to the PolicyPrimaryDomainInformation // information class. // typedef struct _POLICY_PRIMARY_DOMAIN_INFO { LSA_UNICODE_STRING Name; PSID Sid; } POLICY_PRIMARY_DOMAIN_INFO, *PPOLICY_PRIMARY_DOMAIN_INFO; // where the members have the following usage: // // Name - Is the name of the domain // // Sid - Is the Sid of the domain // // // The following structure corresponds to the PolicyDnsDomainInformation // information class // typedef struct _POLICY_DNS_DOMAIN_INFO { LSA_UNICODE_STRING Name; LSA_UNICODE_STRING DnsDomainName; LSA_UNICODE_STRING DnsTreeName; GUID DomainGuid; PSID Sid; } POLICY_DNS_DOMAIN_INFO, *PPOLICY_DNS_DOMAIN_INFO; // where the members have the following usage: // // Name - Is the name of the Domain // // DnsDomainName - Is the DNS name of the domain // // DnsTreeName - Is the DNS tree name of the domain // // DomainGuid - Is the GUID of the domain // // Sid - Is the Sid of the domain // // The following structure corresponds to the PolicyPdAccountInformation // information class. This structure may be used in Query operations // only. // typedef struct _POLICY_PD_ACCOUNT_INFO { LSA_UNICODE_STRING Name; } POLICY_PD_ACCOUNT_INFO, *PPOLICY_PD_ACCOUNT_INFO; // where the members have the following usage: // // Name - Is the name of an account in the domain that should be used // for authentication and name/ID lookup requests. // // // The following structure corresponds to the PolicyLsaServerRoleInformation // information class. // typedef struct _POLICY_LSA_SERVER_ROLE_INFO { POLICY_LSA_SERVER_ROLE LsaServerRole; } POLICY_LSA_SERVER_ROLE_INFO, *PPOLICY_LSA_SERVER_ROLE_INFO; // where the fields have the following usage: // // TBS // // // The following structure corresponds to the PolicyReplicaSourceInformation // information class. // typedef struct _POLICY_REPLICA_SOURCE_INFO { LSA_UNICODE_STRING ReplicaSource; LSA_UNICODE_STRING ReplicaAccountName; } POLICY_REPLICA_SOURCE_INFO, *PPOLICY_REPLICA_SOURCE_INFO; // // The following structure corresponds to the PolicyDefaultQuotaInformation // information class. // typedef struct _POLICY_DEFAULT_QUOTA_INFO { QUOTA_LIMITS QuotaLimits; } POLICY_DEFAULT_QUOTA_INFO, *PPOLICY_DEFAULT_QUOTA_INFO; // // The following structure corresponds to the PolicyModificationInformation // information class. // typedef struct _POLICY_MODIFICATION_INFO { LARGE_INTEGER ModifiedId; LARGE_INTEGER DatabaseCreationTime; } POLICY_MODIFICATION_INFO, *PPOLICY_MODIFICATION_INFO; // where the members have the following usage: // // ModifiedId - Is a 64-bit unsigned integer that is incremented each // time anything in the LSA database is modified. This value is // only modified on Primary Domain Controllers. // // DatabaseCreationTime - Is the date/time that the LSA Database was // created. On Backup Domain Controllers, this value is replicated // from the Primary Domain Controller. // // // The following structure type corresponds to the PolicyAuditFullSetInformation // Information Class. // typedef struct _POLICY_AUDIT_FULL_SET_INFO { BOOLEAN ShutDownOnFull; } POLICY_AUDIT_FULL_SET_INFO, *PPOLICY_AUDIT_FULL_SET_INFO; // // The following structure type corresponds to the PolicyAuditFullQueryInformation // Information Class. // typedef struct _POLICY_AUDIT_FULL_QUERY_INFO { BOOLEAN ShutDownOnFull; BOOLEAN LogIsFull; } POLICY_AUDIT_FULL_QUERY_INFO, *PPOLICY_AUDIT_FULL_QUERY_INFO; // // The following structure corresponds to the PolicyEfsInformation // information class // typedef struct _POLICY_EFS_INFO { ULONG InfoLength; PUCHAR EfsBlob; } POLICY_EFS_INFO, *PPOLICY_EFS_INFO; // where the members have the following usage: // // InfoLength - Length of the EFS Information blob // // EfsBlob - Efs blob data // // // The following data type defines the classes of Policy Information // that may be queried/set for the local machine. // typedef enum _POLICY_LOCAL_INFORMATION_CLASS { PolicyLocalAuditEventsInformation = 1, PolicyLocalPdAccountInformation, PolicyLocalAccountDomainInformation, PolicyLocalLsaServerRoleInformation, PolicyLocalReplicaSourceInformation, PolicyLocalModificationInformation, PolicyLocalAuditFullSetInformation, PolicyLocalAuditFullQueryInformation, PolicyLocalDnsDomainInformation, PolicyLocalIPSecReferenceInformation, PolicyLocalMachinePasswordInformation, PolicyLocalQualityOfServiceInformation, PolicyLocalPolicyLocationInformation } POLICY_LOCAL_INFORMATION_CLASS, *PPOLICY_LOCAL_INFORMATION_CLASS; // // The following data type corresponds to the PolicyLocalIPSecReferenceInformation // information class. It is used to represent information relating to // the IPSec object reference. // // This structure may be used in both query and set operations. However, // when used in set operations, some fields are ignored. // typedef struct _POLICY_LOCAL_IPSEC_REFERENCE_INFO { LSA_UNICODE_STRING ObjectPath; } POLICY_LOCAL_IPSEC_REFERENCE_INFO, *PPOLICY_LOCAL_IPSEC_REFERENCE_INFO; // where the members have the following usage: // // ObjectPath - A unicode string giving the Ds path to the object // // ObjectId - Specifies the GUID of the object // // // Machine password information. Corresponds to PolicyLocalMachinePasswordInformation // typedef struct _POLICY_LOCAL_MACHINE_PASSWORD_INFO { LARGE_INTEGER PasswordChangeInterval; } POLICY_LOCAL_MACHINE_PASSWORD_INFO, *PPOLICY_LOCAL_MACHINE_PASSWORD_INFO; // // where the members have the following usage: // // PasswordChangeInterval - Duration between password changes // // // Policy location information. Corresponds to PolicyLocalPolicyLocationInformation // #define POLICY_LOCATION_LOCAL 1 #define POLICY_LOCATION_DS 2 typedef struct _POLICY_LOCAL_POLICY_LOCATION_INFO { ULONG PolicyLocation; } POLICY_LOCAL_POLICY_LOCATION_INFO, *PPOLICY_LOCAL_POLICY_LOCATION_INFO; // // QualityOfService information. Corresponds to PolicyLocalQualityOfServiceInformation // #define POLICY_QOS_SCHANEL_REQUIRED 0x00000001 #define POLICY_QOS_OUTBOUND_INTEGRITY 0x00000002 #define POLICY_QOS_OUTBOUND_CONFIDENTIALITY 0x00000004 #define POLICY_QOS_INBOUND_INTEGREITY 0x00000008 #define POLICY_QOS_INBOUND_CONFIDENTIALITY 0x00000010 #define POLICY_QOS_ALLOW_LOCAL_ROOT_CERT_STORE 0x00000020 #define POLICY_QOS_RAS_SERVER_ALLOWED 0x00000040 #define POLICY_QOS_DHCP_SERVER_ALLOWD 0x00000080 // // Bits 0x00000100 through 0xFFFFFFFF are reserved for future use. // typedef struct _POLICY_LOCAL_QUALITY_OF_SERVICE_INFO { ULONG QualityOfService; } POLICY_LOCAL_QUALITY_OF_SERVICE_INFO, *PPOLICY_LOCAL_QUALITY_OF_SERVICE_INFO; // // where the members have the following usage: // // QualityOfService - Determines what specific QOS actions a machine should take // // // The following data type defines the classes of Policy Information // that may be queried/set that has domain wide effect. // typedef enum _POLICY_DOMAIN_INFORMATION_CLASS { PolicyDomainIPSecReferenceInformation = 1, PolicyDomainQualityOfServiceInformation, PolicyDomainEfsInformation, PolicyDomainPublicKeyInformation, PolicyDomainPasswordPolicyInformation, PolicyDomainLockoutInformation, PolicyDomainKerberosTicketInformation } POLICY_DOMAIN_INFORMATION_CLASS, *PPOLICY_DOMAIN_INFORMATION_CLASS; typedef struct _POLICY_LOCAL_QUALITY_OF_SERVICE_INFO POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO; typedef struct _POLICY_LOCAL_QUALITY_OF_SERVICE_INFO *PPOLICY_DOMAIN_QUALITY_OF_SERVICE_INFO; // // The following structure corresponds to the PolicyDomainPublicKeyInformation // information class // typedef struct _POLICY_DOMAIN_PUBLIC_KEY_INFO { ULONG InfoLength; PUCHAR PublicKeyInfo; } POLICY_DOMAIN_PUBLIC_KEY_INFO, *PPOLICY_DOMAIN_PUBLIC_KEY_INFO; // where the members have the following usage: // // InfoLength - Length of the PublicKey Information blob // // PublicKeyInfo - PublicKey information blob // // // The following structure corresponds to the PolicyDomainLockoutInformation // information class // typedef struct _POLICY_DOMAIN_LOCKOUT_INFO { LARGE_INTEGER LockoutDuration; //Must be a Delta time LARGE_INTEGER LockoutObservationWindow; //Must be a Delta time USHORT LockoutThreshold; //Zero means no lockout } POLICY_DOMAIN_LOCKOUT_INFO, *PPOLICY_DOMAIN_LOCKOUT_INFO; // // The following structure corresponds to the PolicyPasswordPolicyInformation // typedef struct _POLICY_DOMAIN_PASSWORD_INFO { USHORT MinPasswordLength; USHORT PasswordHistoryLength; ULONG PasswordProperties; LARGE_INTEGER MaxPasswordAge; LARGE_INTEGER MinPasswordAge; } POLICY_DOMAIN_PASSWORD_INFO, *PPOLICY_DOMAIN_PASSWORD_INFO; // // The following structure corresponds to the PolicyDomainKerberosTicketInformation // information class #define POLICY_KERBEROS_FORWARDABLE 0x00000001 #define POLICY_KERBEROS_PROXYABLE 0x00000002 #define POLICY_KERBEROS_RENEWABLE 0x00000004 #define POLICY_KERBEROS_POSTDATEABLE 0x00000008 typedef struct _POLICY_DOMAIN_KERBEROS_TICKET_INFO { ULONG AuthenticationOptions; LARGE_INTEGER MinTicketAge; LARGE_INTEGER MaxTicketAge; LARGE_INTEGER MaxRenewAge; LARGE_INTEGER ProxyLifetime; LARGE_INTEGER ForceLogoff; } POLICY_DOMAIN_KERBEROS_TICKET_INFO, *PPOLICY_DOMAIN_KERBEROS_TICKET_INFO; // // where the members have the following usage // // AuthenticationOptions -- allowed ticket options (POLICY_KERBEROS_* flags ) // // MinTicketAge -- Minimum lifetime for a ticket // // MaxTicketAge -- Maximum lifetime for a ticket // // MaxRenewAge -- Maximum cumulative age a renewable ticket can be with // requring authentication // // ProxyLifetime -- Maximum lifetime for a proxy tickey // // ForceLogoff -- Maximum duration before forcing a user to logoff whose ticket has // expired. // // LSA RPC Context Handle (Opaque form). Note that a Context Handle is // always a pointer type unlike regular handles. // typedef PVOID LSA_HANDLE, *PLSA_HANDLE; // // Trusted Domain Object specific data types // // // This data type defines the following information classes that may be // queried or set. // typedef enum _TRUSTED_INFORMATION_CLASS { TrustedDomainNameInformation = 1, TrustedControllersInformation, TrustedPosixOffsetInformation, TrustedPasswordInformation, TrustedDomainInformationBasic, TrustedDomainInformationEx, TrustedDomainAuthInformation, TrustedDomainFullInformation } TRUSTED_INFORMATION_CLASS, *PTRUSTED_INFORMATION_CLASS; // // The following data type corresponds to the TrustedDomainNameInformation // information class. // typedef struct _TRUSTED_DOMAIN_NAME_INFO { LSA_UNICODE_STRING Name; } TRUSTED_DOMAIN_NAME_INFO, *PTRUSTED_DOMAIN_NAME_INFO; // where members have the following meaning: // // Name - The name of the Trusted Domain. // // // The following data type corresponds to the TrustedControllersInformation // information class. // typedef struct _TRUSTED_CONTROLLERS_INFO { ULONG Entries; PLSA_UNICODE_STRING Names; } TRUSTED_CONTROLLERS_INFO, *PTRUSTED_CONTROLLERS_INFO; // where members have the following meaning: // // Entries - Indicate how mamy entries there are in the Names array. // // Names - Pointer to an array of LSA_UNICODE_STRING structures containing the // names of domain controllers of the domain. This information may not // be accurate and should be used only as a hint. The order of this // list is considered significant and will be maintained. // // By convention, the first name in this list is assumed to be the // Primary Domain Controller of the domain. If the Primary Domain // Controller is not known, the first name should be set to the NULL // string. // // // The following data type corresponds to the TrustedPosixOffsetInformation // information class. // typedef struct _TRUSTED_POSIX_OFFSET_INFO { ULONG Offset; } TRUSTED_POSIX_OFFSET_INFO, *PTRUSTED_POSIX_OFFSET_INFO; // where members have the following meaning: // // Offset - Is an offset to use for the generation of Posix user and group // IDs from SIDs. The Posix ID corresponding to any particular SID is // generated by adding the RID of that SID to the Offset of the SID's // corresponding TrustedDomain object. // // // The following data type corresponds to the TrustedPasswordInformation // information class. // typedef struct _TRUSTED_PASSWORD_INFO { LSA_UNICODE_STRING Password; LSA_UNICODE_STRING OldPassword; } TRUSTED_PASSWORD_INFO, *PTRUSTED_PASSWORD_INFO; typedef LSA_TRUST_INFORMATION TRUSTED_DOMAIN_INFORMATION_BASIC; typedef PLSA_TRUST_INFORMATION *PTRUSTED_DOMAIN_INFORMATION_BASIC; // // Direction of the trust // #define TRUST_DIRECTION_DISABLED 0x00000000 #define TRUST_DIRECTION_INBOUND 0x00000001 #define TRUST_DIRECTION_OUTBOUND 0x00000002 #define TRUST_DIRECTION_BIDIRECTIONAL (TRUST_DIRECTION_INBOUND | TRUST_DIRECTION_OUTBOUND) #define TRUST_TYPE_DOWNLEVEL 0x00000001 // NT4 and before #define TRUST_TYPE_UPLEVEL 0x00000002 // NT5 #define TRUST_TYPE_MIT 0x00000003 // Trust with a MIT Kerberos realm #define TRUST_TYPE_DCE 0x00000004 // Trust with a DCE realm // Levels 0x5 - 0x000FFFFF reserved for future use // Provider specific trust levels are from 0x00100000 to 0xFFF00000 #define TRUST_ATTRIBUTE_NON_TRANSITIVE 0x00000001 // Disallow transitivity #define TRUST_ATTRIBUTE_UPLEVEL_ONLY 0x00000002 // Trust link only valid // for uplevel client #define TRUST_ATTRIBUTE_TREE_PARENT 0x00400000 // Denotes that we are setting the trust // to our parent in the org tree... // Trust attributes 0x00000004 through 0x004FFFFFFF reserved for future use // Trust attributes 0x00F00000 through 0x00400000 are reserved for internal use // Trust attributes 0x01000000 through 0xFF000000 are reserved for user // defined values #define TRUST_ATTRIBUTES_VALID 0xFF02FFFF typedef struct _TRUSTED_DOMAIN_INFORMATION_EX { LSA_UNICODE_STRING Name; LSA_UNICODE_STRING FlatName; PSID Sid; ULONG TrustDirection; ULONG TrustType; ULONG TrustAttributes; } TRUSTED_DOMAIN_INFORMATION_EX, *PTRUSTED_DOMAIN_INFORMATION_EX; // // Type of authentication information // #define TRUST_AUTH_TYPE_NONE 0 // Ignore this entry #define TRUST_AUTH_TYPE_NT4OWF 1 // NT4 OWF password #define TRUST_AUTH_TYPE_CLEAR 2 // Cleartext password typedef struct _LSA_AUTH_INFORMATION { LARGE_INTEGER LastUpdateTime; ULONG AuthType; ULONG AuthInfoLength; PUCHAR AuthInfo; } LSA_AUTH_INFORMATION, *PLSA_AUTH_INFORMATION; typedef struct _TRUSTED_DOMAIN_AUTH_INFORMATION { ULONG IncomingAuthInfos; PLSA_AUTH_INFORMATION IncomingAuthenticationInformation; PLSA_AUTH_INFORMATION IncomingPreviousAuthenticationInformation; ULONG OutgoingAuthInfos; PLSA_AUTH_INFORMATION OutgoingAuthenticationInformation; PLSA_AUTH_INFORMATION OutgoingPreviousAuthenticationInformation; } TRUSTED_DOMAIN_AUTH_INFORMATION, *PTRUSTED_DOMAIN_AUTH_INFORMATION; typedef struct _TRUSTED_DOMAIN_FULL_INFORMATION { TRUSTED_DOMAIN_INFORMATION_EX Information; TRUSTED_POSIX_OFFSET_INFO PosixOffset; TRUSTED_DOMAIN_AUTH_INFORMATION AuthInformation; } TRUSTED_DOMAIN_FULL_INFORMATION, *PTRUSTED_DOMAIN_FULL_INFORMATION; // // LSA Enumeration Context // typedef ULONG LSA_ENUMERATION_HANDLE, *PLSA_ENUMERATION_HANDLE; // // LSA Enumeration Information // typedef struct _LSA_ENUMERATION_INFORMATION { PSID Sid; } LSA_ENUMERATION_INFORMATION, *PLSA_ENUMERATION_INFORMATION; //////////////////////////////////////////////////////////////////////////// // // // Local Security Policy - Miscellaneous API function prototypes // // // //////////////////////////////////////////////////////////////////////////// NTSTATUS NTAPI LsaFreeMemory( IN PVOID Buffer ); NTSTATUS NTAPI LsaClose( IN LSA_HANDLE ObjectHandle ); NTSTATUS NTAPI LsaOpenPolicy( IN PLSA_UNICODE_STRING SystemName OPTIONAL, IN PLSA_OBJECT_ATTRIBUTES ObjectAttributes, IN ACCESS_MASK DesiredAccess, IN OUT PLSA_HANDLE PolicyHandle ); NTSTATUS NTAPI LsaQueryInformationPolicy( IN LSA_HANDLE PolicyHandle, IN POLICY_INFORMATION_CLASS InformationClass, OUT PVOID *Buffer ); NTSTATUS NTAPI LsaSetInformationPolicy( IN LSA_HANDLE PolicyHandle, IN POLICY_INFORMATION_CLASS InformationClass, IN PVOID Buffer ); NTSTATUS NTAPI LsaQueryLocalInformationPolicy( IN LSA_HANDLE PolicyHandle, IN POLICY_LOCAL_INFORMATION_CLASS InformationClass, OUT PVOID *Buffer ); NTSTATUS NTAPI LsaSetLocalInformationPolicy( IN LSA_HANDLE PolicyHandle, IN POLICY_LOCAL_INFORMATION_CLASS InformationClass, IN PVOID Buffer ); NTSTATUS NTAPI LsaQueryDomainInformationPolicy( IN LSA_HANDLE PolicyHandle, IN POLICY_DOMAIN_INFORMATION_CLASS InformationClass, OUT PVOID *Buffer ); NTSTATUS NTAPI LsaSetDomainInformationPolicy( IN LSA_HANDLE PolicyHandle, IN POLICY_DOMAIN_INFORMATION_CLASS InformationClass, IN PVOID Buffer ); NTSTATUS NTAPI LsaEnumerateTrustedDomains( IN LSA_HANDLE PolicyHandle, IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext, OUT PVOID *Buffer, IN ULONG PreferedMaximumLength, OUT PULONG CountReturned ); NTSTATUS NTAPI LsaLookupNames( IN LSA_HANDLE PolicyHandle, IN ULONG Count, IN PLSA_UNICODE_STRING Names, OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, OUT PLSA_TRANSLATED_SID *Sids ); NTSTATUS NTAPI LsaLookupSids( IN LSA_HANDLE PolicyHandle, IN ULONG Count, IN PSID *Sids, OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains, OUT PLSA_TRANSLATED_NAME *Names ); #define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight") #define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight") #define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight") #define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight") // // This new API returns all the accounts with a certain privilege // NTSTATUS NTAPI LsaEnumerateAccountsWithUserRight( IN LSA_HANDLE PolicyHandle, IN OPTIONAL PLSA_UNICODE_STRING UserRights, OUT PVOID *EnumerationBuffer, OUT PULONG CountReturned ); // // These new APIs differ by taking a SID instead of requiring the caller // to open the account first and passing in an account handle // NTSTATUS NTAPI LsaEnumerateAccountRights( IN LSA_HANDLE PolicyHandle, IN PSID AccountSid, OUT PLSA_UNICODE_STRING *UserRights, OUT PULONG CountOfRights ); NTSTATUS NTAPI LsaAddAccountRights( IN LSA_HANDLE PolicyHandle, IN PSID AccountSid, IN PLSA_UNICODE_STRING UserRights, IN ULONG CountOfRights ); NTSTATUS NTAPI LsaRemoveAccountRights( IN LSA_HANDLE PolicyHandle, IN PSID AccountSid, IN BOOLEAN AllRights, IN PLSA_UNICODE_STRING UserRights, IN ULONG CountOfRights ); /////////////////////////////////////////////////////////////////////////////// // // // Local Security Policy - Trusted Domain Object API function prototypes // // // /////////////////////////////////////////////////////////////////////////////// NTSTATUS NTAPI LsaQueryTrustedDomainInfo( IN LSA_HANDLE PolicyHandle, IN PSID TrustedDomainSid, IN TRUSTED_INFORMATION_CLASS InformationClass, OUT PVOID *Buffer ); NTSTATUS NTAPI LsaSetTrustedDomainInformation( IN LSA_HANDLE PolicyHandle, IN PSID TrustedDomainSid, IN TRUSTED_INFORMATION_CLASS InformationClass, IN PVOID Buffer ); NTSTATUS NTAPI LsaDeleteTrustedDomain( IN LSA_HANDLE PolicyHandle, IN PSID TrustedDomainSid ); NTSTATUS NTAPI LsaQueryTrustedDomainInfoByName( IN LSA_HANDLE PolicyHandle, IN PLSA_UNICODE_STRING TrustedDomainName, IN TRUSTED_INFORMATION_CLASS InformationClass, OUT PVOID *Buffer ); NTSTATUS NTAPI LsaSetTrustedDomainInfoByName( IN LSA_HANDLE PolicyHandle, IN PLSA_UNICODE_STRING TrustedDomainName, IN TRUSTED_INFORMATION_CLASS InformationClass, IN PVOID Buffer ); NTSTATUS NTAPI LsaEnumerateTrustedDomainsEx( IN LSA_HANDLE PolicyHandle, IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext, IN TRUSTED_INFORMATION_CLASS InformationClass, OUT PVOID *Buffer, IN ULONG PreferedMaximumLength, OUT PULONG CountReturned ); NTSTATUS NTAPI LsaCreateTrustedDomainEx( IN LSA_HANDLE PolicyHandle, IN PTRUSTED_DOMAIN_INFORMATION_EX TrustedDomainInformation, IN PTRUSTED_DOMAIN_AUTH_INFORMATION AuthenticationInformation, IN ACCESS_MASK DesiredAccess, OUT PLSA_HANDLE TrustedDomainHandle ); // // This API sets the workstation password (equivalent of setting/getting // the SSI_SECRET_NAME secret) // NTSTATUS NTAPI LsaStorePrivateData( IN LSA_HANDLE PolicyHandle, IN PLSA_UNICODE_STRING KeyName, IN PLSA_UNICODE_STRING PrivateData ); NTSTATUS NTAPI LsaRetrievePrivateData( IN LSA_HANDLE PolicyHandle, IN PLSA_UNICODE_STRING KeyName, OUT PLSA_UNICODE_STRING * PrivateData ); ULONG NTAPI LsaNtStatusToWinError( NTSTATUS Status ); // // Define a symbol so we can tell if ntifs.h has been included. // // begin_ntifs #ifndef _NTLSA_IFS_ #define _NTLSA_IFS_ #endif // end_ntifs #ifndef _NTDEF_ typedef LSA_UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING; #endif typedef NTSTATUS (*PSAM_PASSWORD_NOTIFICATION_ROUTINE) ( PUNICODE_STRING UserName, ULONG RelativeId, PUNICODE_STRING NewPassword ); #define SAM_PASSWORD_CHANGE_NOTIFY_ROUTINE "PasswordChangeNotify" typedef BOOLEAN (*PSAM_INIT_NOTIFICATION_ROUTINE) ( ); #define SAM_INIT_NOTIFICATION_ROUTINE "InitializeChangeNotify" #define SAM_PASSWORD_FILTER_ROUTINE "PasswordFilter" typedef BOOLEAN (*PSAM_PASSWORD_FILTER_ROUTINE) ( IN PUNICODE_STRING AccountName, IN PUNICODE_STRING FullName, IN PUNICODE_STRING Password, IN BOOLEAN SetOperation ); #ifdef __cplusplus } #endif #endif /* _NTSECAPI_ */