3022 lines
89 KiB
C
3022 lines
89 KiB
C
|
/*++ BUILD Version: 0011 // Increment this if a change has global effects
|
|||
|
|
|||
|
Copyright (c) 1989-1999 Microsoft Corporation
|
|||
|
|
|||
|
Module Name:
|
|||
|
|
|||
|
ntlsa.h
|
|||
|
|
|||
|
Abstract:
|
|||
|
|
|||
|
This module contains the public data structures and API definitions
|
|||
|
needed to utilize Local Security Authority (LSA) services.
|
|||
|
|
|||
|
|
|||
|
Author:
|
|||
|
|
|||
|
Jim Kelly (JimK) 21-February-1991
|
|||
|
|
|||
|
Revision History:
|
|||
|
|
|||
|
--*/
|
|||
|
|
|||
|
#ifndef _NTLSA_
|
|||
|
#define _NTLSA_
|
|||
|
|
|||
|
#if _MSC_VER > 1000
|
|||
|
#pragma once
|
|||
|
#endif
|
|||
|
|
|||
|
#ifdef __cplusplus
|
|||
|
extern "C" {
|
|||
|
#endif
|
|||
|
|
|||
|
//
|
|||
|
// Generic negative values for unknown IDs, inapplicable indices etc.
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_UNKNOWN_ID ((ULONG) 0xFFFFFFFFL)
|
|||
|
#define LSA_UNKNOWN_INDEX ((LONG) -1)
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Each time a domain controller is promoted to primary domain
|
|||
|
// controller, its ModifiedId is incremented by this amount.
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_PROMOTION_INCREMENT {0x0,0x10}
|
|||
|
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
#ifndef _NTLSA_IFS_
|
|||
|
// begin_ntifs
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Security operation mode of the system is held in a control
|
|||
|
// longword.
|
|||
|
//
|
|||
|
|
|||
|
typedef ULONG LSA_OPERATIONAL_MODE, *PLSA_OPERATIONAL_MODE;
|
|||
|
|
|||
|
// end_ntifs
|
|||
|
#endif // _NTLSA_IFS_
|
|||
|
|
|||
|
//
|
|||
|
// The flags in the security operational mode are defined
|
|||
|
// as:
|
|||
|
//
|
|||
|
// PasswordProtected - Some level of authentication (such as
|
|||
|
// a password) must be provided by users before they are
|
|||
|
// allowed to use the system. Once set, this value will
|
|||
|
// not be cleared without re-booting the system.
|
|||
|
//
|
|||
|
// IndividualAccounts - Each user must identify an account to
|
|||
|
// logon to. This flag is only meaningful if the
|
|||
|
// PasswordProtected flag is also set. If this flag is
|
|||
|
// not set and the PasswordProtected flag is set, then all
|
|||
|
// users may logon to the same account. Once set, this value
|
|||
|
// will not be cleared without re-booting the system.
|
|||
|
//
|
|||
|
// MandatoryAccess - Indicates the system is running in a mandatory
|
|||
|
// access control mode (e.g., B-level as defined by the U.S.A's
|
|||
|
// Department of Defense's "Orange Book"). This is not utilized
|
|||
|
// in the current release of NT. This flag is only meaningful
|
|||
|
// if both the PasswordProtected and IndividualAccounts flags are
|
|||
|
// set. Once set, this value will not be cleared without
|
|||
|
// re-booting the system.
|
|||
|
//
|
|||
|
// LogFull - Indicates the system has been brought up in a mode in
|
|||
|
// which if must perform security auditing, but its audit log
|
|||
|
// is full. This may (should) restrict the operations that
|
|||
|
// can occur until the audit log is made not-full again. THIS
|
|||
|
// VALUE MAY BE CLEARED WHILE THE SYSTEM IS RUNNING (I.E., WITHOUT
|
|||
|
// REBOOTING).
|
|||
|
//
|
|||
|
// If the PasswordProtected flag is not set, then the system is running
|
|||
|
// without security, and user interface should be adjusted appropriately.
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_MODE_PASSWORD_PROTECTED (0x00000001L)
|
|||
|
#define LSA_MODE_INDIVIDUAL_ACCOUNTS (0x00000002L)
|
|||
|
#define LSA_MODE_MANDATORY_ACCESS (0x00000004L)
|
|||
|
#define LSA_MODE_LOG_FULL (0x00000008L)
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Widely used LSA defines //
|
|||
|
// //
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
//
|
|||
|
// Defines for Count Limits on LSA API
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_MAXIMUM_SID_COUNT (0x00000100L)
|
|||
|
#define LSA_MAXIMUM_ENUMERATION_LENGTH (32000)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Defines used by ISVs or end-users defining their own privilege DLLs
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_PRIVILEGE_DLL_MAJOR_REV_1 (0x01)
|
|||
|
#define LSA_PRIVILEGE_DLL_MINOR_REV_0 (0x00)
|
|||
|
|
|||
|
#define LSA_PRIVILEGE_DLL_INFO 1
|
|||
|
#define LSA_PRIVILEGE_PROGRAM_NAMES 2
|
|||
|
#define LSA_PRIVILEGE_DISPLAY_NAMES 3
|
|||
|
|
|||
|
//
|
|||
|
// Flag OR'ed into AuthenticationPackage parameter of LsaLogonUser to
|
|||
|
// request that the license server be called upon successful logon.
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_CALL_LICENSE_SERVER 0x80000000
|
|||
|
|
|||
|
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Data types used by logon processes //
|
|||
|
// //
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
#ifndef _NTLSA_IFS_
|
|||
|
// begin_ntifs
|
|||
|
//
|
|||
|
// Used by a logon process to indicate what type of logon is being
|
|||
|
// requested.
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _SECURITY_LOGON_TYPE {
|
|||
|
Interactive = 2, // Interactively logged on (locally or remotely)
|
|||
|
Network, // Accessing system via network
|
|||
|
Batch, // Started via a batch queue
|
|||
|
Service, // Service started by service controller
|
|||
|
Proxy, // Proxy logon
|
|||
|
Unlock, // Unlock workstation
|
|||
|
NetworkCleartext, // Network logon with cleartext credentials
|
|||
|
NewCredentials, // Clone caller, new default credentials
|
|||
|
RemoteInteractive, // Remote, yet interactive. Terminal server
|
|||
|
CachedInteractive // Try cached credentials without hitting the net.
|
|||
|
} SECURITY_LOGON_TYPE, *PSECURITY_LOGON_TYPE;
|
|||
|
|
|||
|
// end_ntifs
|
|||
|
#endif // _NTLSA_IFS_
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Security System Access Flags. These correspond to the enumerated
|
|||
|
// type values in SECURITY_LOGON_TYPE.
|
|||
|
//
|
|||
|
// IF YOU ADD A NEW LOGON TYPE HERE, ALSO ADD IT TO THE POLICY_MODE_xxx
|
|||
|
// data definitions.
|
|||
|
//
|
|||
|
|
|||
|
#define SECURITY_ACCESS_INTERACTIVE_LOGON ((ULONG) 0x00000001L)
|
|||
|
#define SECURITY_ACCESS_NETWORK_LOGON ((ULONG) 0x00000002L)
|
|||
|
#define SECURITY_ACCESS_BATCH_LOGON ((ULONG) 0x00000004L)
|
|||
|
#define SECURITY_ACCESS_SERVICE_LOGON ((ULONG) 0x00000010L)
|
|||
|
#define SECURITY_ACCESS_PROXY_LOGON ((ULONG) 0x00000020L)
|
|||
|
#define SECURITY_ACCESS_DENY_INTERACTIVE_LOGON ((ULONG) 0x00000040L)
|
|||
|
#define SECURITY_ACCESS_DENY_NETWORK_LOGON ((ULONG) 0x00000080L)
|
|||
|
#define SECURITY_ACCESS_DENY_BATCH_LOGON ((ULONG) 0x00000100L)
|
|||
|
#define SECURITY_ACCESS_DENY_SERVICE_LOGON ((ULONG) 0x00000200L)
|
|||
|
#define SECURITY_ACCESS_REMOTE_INTERACTIVE_LOGON ((ULONG) 0x00000400L)
|
|||
|
#define SECURITY_ACCESS_DENY_REMOTE_INTERACTIVE_LOGON ((ULONG) 0x00000800L)
|
|||
|
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Data types related to Auditing //
|
|||
|
// //
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following enumerated type is used between the reference monitor and
|
|||
|
// LSA in the generation of audit messages. It is used to indicate the
|
|||
|
// type of data being passed as a parameter from the reference monitor
|
|||
|
// to LSA. LSA is responsible for transforming the specified data type
|
|||
|
// into a set of unicode strings that are added to the event record in
|
|||
|
// the audit log.
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _SE_ADT_PARAMETER_TYPE {
|
|||
|
|
|||
|
SeAdtParmTypeNone = 0, //Produces 1 parameter
|
|||
|
//Received value:
|
|||
|
//
|
|||
|
// None.
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// a unicode string containing "-".
|
|||
|
//
|
|||
|
//Note: This is typically used to
|
|||
|
// indicate that a parameter value
|
|||
|
// was not available.
|
|||
|
//
|
|||
|
|
|||
|
SeAdtParmTypeString, //Produces 1 parameter.
|
|||
|
//Received Value:
|
|||
|
//
|
|||
|
// Unicode String (variable length)
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// No transformation. The string
|
|||
|
// entered into the event record as
|
|||
|
// received.
|
|||
|
//
|
|||
|
// The Address value of the audit info
|
|||
|
// should be a pointer to a UNICODE_STRING
|
|||
|
// structure.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
SeAdtParmTypeFileSpec, //Produces 1 parameter.
|
|||
|
//Received value:
|
|||
|
//
|
|||
|
// Unicode string containing a file or
|
|||
|
// directory name.
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// Unicode string with the prefix of the
|
|||
|
// file's path replaced by a drive letter
|
|||
|
// if possible.
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
SeAdtParmTypeUlong, //Produces 1 parameter
|
|||
|
//Received value:
|
|||
|
//
|
|||
|
// Ulong
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// Unicode string representation of
|
|||
|
// unsigned integer value.
|
|||
|
|
|||
|
|
|||
|
SeAdtParmTypeSid, //Produces 1 parameter.
|
|||
|
//Received value:
|
|||
|
//
|
|||
|
// SID (variable length)
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// String representation of SID
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
SeAdtParmTypeLogonId, //Produces 3 parameters.
|
|||
|
//Received Value:
|
|||
|
//
|
|||
|
// LUID (fixed length)
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// param 1: Username string
|
|||
|
// param 2: domain name string
|
|||
|
// param 3: Logon ID (Luid) string
|
|||
|
|
|||
|
|
|||
|
SeAdtParmTypeNoLogonId, //Produces 3 parameters.
|
|||
|
//Received value:
|
|||
|
//
|
|||
|
// None.
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// param 1: "-"
|
|||
|
// param 2: "-"
|
|||
|
// param 3: "-"
|
|||
|
//
|
|||
|
//Note:
|
|||
|
//
|
|||
|
// This type is used when a logon ID
|
|||
|
// is needed, but one is not available
|
|||
|
// to pass. For example, if an
|
|||
|
// impersonation logon ID is expected
|
|||
|
// but the subject is not impersonating
|
|||
|
// anyone.
|
|||
|
//
|
|||
|
|
|||
|
SeAdtParmTypeAccessMask, //Produces 1 parameter with formatting.
|
|||
|
//Received value:
|
|||
|
//
|
|||
|
// ACCESS_MASK followed by
|
|||
|
// a Unicode string. The unicode
|
|||
|
// string contains the name of the
|
|||
|
// type of object the access mask
|
|||
|
// applies to. The event's source
|
|||
|
// further qualifies the object type.
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// formatted unicode string built to
|
|||
|
// take advantage of the specified
|
|||
|
// source's parameter message file.
|
|||
|
//
|
|||
|
//Note:
|
|||
|
//
|
|||
|
// An access mask containing three
|
|||
|
// access types for a Widget object
|
|||
|
// type (defined by the Foozle source)
|
|||
|
// might end up looking like:
|
|||
|
//
|
|||
|
// %%1062\n\t\t%1066\n\t\t%%601
|
|||
|
//
|
|||
|
// The %%numbers are signals to the
|
|||
|
// event viewer to perform parameter
|
|||
|
// substitution before display.
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
|
|||
|
SeAdtParmTypePrivs, //Produces 1 parameter with formatting.
|
|||
|
//Received value:
|
|||
|
//
|
|||
|
// ??? Check with RobertRe and ScottBi
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// formatted unicode string similar to
|
|||
|
// that for access types. Each priv
|
|||
|
// will be formatted to be displayed
|
|||
|
// on its own line. E.g.,
|
|||
|
//
|
|||
|
// %%642\n\t\t%%651\n\t\t%%655
|
|||
|
//
|
|||
|
|
|||
|
SeAdtParmTypeObjectTypes, //Produces 10 parameters with formatting.
|
|||
|
//Received value:
|
|||
|
//
|
|||
|
// Produces a list a stringized GUIDS along
|
|||
|
// with information similar to that for
|
|||
|
// an access mask.
|
|||
|
|
|||
|
SeAdtParmTypeHexUlong, //Produces 1 parameter
|
|||
|
//Received value:
|
|||
|
//
|
|||
|
// Ulong
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// Unicode string representation of
|
|||
|
// unsigned integer value in hexidecimal.
|
|||
|
|
|||
|
SeAdtParmTypePtr, //Produces 1 parameter
|
|||
|
//Received value:
|
|||
|
//
|
|||
|
// pointer
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// Unicode string representation of
|
|||
|
// unsigned integer value in hexidecimal.
|
|||
|
|
|||
|
SeAdtParmTypeTime, //Produces 2 parameters
|
|||
|
//Recieved value:
|
|||
|
//
|
|||
|
// LARGE_INTEGER
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// Unicode string representation of
|
|||
|
// date and time.
|
|||
|
|
|||
|
//
|
|||
|
SeAdtParmTypeGuid //Produces 1 parameter
|
|||
|
//Recieved value:
|
|||
|
//
|
|||
|
// GUID pointer
|
|||
|
//
|
|||
|
//Results in:
|
|||
|
//
|
|||
|
// Unicode string representation of GUID
|
|||
|
// {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
} SE_ADT_PARAMETER_TYPE, *PSE_ADT_PARAMETER_TYPE;
|
|||
|
|
|||
|
#ifndef GUID_DEFINED
|
|||
|
#include <guiddef.h>
|
|||
|
#endif /* GUID_DEFINED */
|
|||
|
|
|||
|
typedef struct _SE_ADT_OBJECT_TYPE {
|
|||
|
GUID ObjectType;
|
|||
|
USHORT Flags;
|
|||
|
#define SE_ADT_OBJECT_ONLY 0x1
|
|||
|
USHORT Level;
|
|||
|
ACCESS_MASK AccessMask;
|
|||
|
} SE_ADT_OBJECT_TYPE, *PSE_ADT_OBJECT_TYPE;
|
|||
|
|
|||
|
typedef struct _SE_ADT_PARAMETER_ARRAY_ENTRY {
|
|||
|
|
|||
|
SE_ADT_PARAMETER_TYPE Type;
|
|||
|
ULONG Length;
|
|||
|
ULONG_PTR Data[2];
|
|||
|
PVOID Address;
|
|||
|
|
|||
|
} SE_ADT_PARAMETER_ARRAY_ENTRY, *PSE_ADT_PARAMETER_ARRAY_ENTRY;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Structure that will be passed between the Reference Monitor and LSA
|
|||
|
// to transmit auditing information.
|
|||
|
//
|
|||
|
|
|||
|
#define SE_MAX_AUDIT_PARAMETERS 24
|
|||
|
|
|||
|
typedef struct _SE_ADT_PARAMETER_ARRAY {
|
|||
|
|
|||
|
ULONG CategoryId;
|
|||
|
ULONG AuditId;
|
|||
|
ULONG ParameterCount;
|
|||
|
ULONG Length;
|
|||
|
USHORT Type;
|
|||
|
ULONG Flags;
|
|||
|
SE_ADT_PARAMETER_ARRAY_ENTRY Parameters[ SE_MAX_AUDIT_PARAMETERS ];
|
|||
|
|
|||
|
} SE_ADT_PARAMETER_ARRAY, *PSE_ADT_PARAMETER_ARRAY;
|
|||
|
|
|||
|
|
|||
|
#define SE_ADT_PARAMETERS_SELF_RELATIVE 0x00000001
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// Audit Event Categories
|
|||
|
//
|
|||
|
// The following are the built-in types or Categories of audit event.
|
|||
|
// WARNING! This structure is subject to expansion. The user should not
|
|||
|
// compute the number of elements of this type directly, but instead
|
|||
|
// should obtain the count of elements by calling LsaQueryInformationPolicy()
|
|||
|
// for the PolicyAuditEventsInformation class and extracting the count from
|
|||
|
// the MaximumAuditEventCount field of the returned structure.
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _POLICY_AUDIT_EVENT_TYPE {
|
|||
|
|
|||
|
AuditCategorySystem,
|
|||
|
AuditCategoryLogon,
|
|||
|
AuditCategoryObjectAccess,
|
|||
|
AuditCategoryPrivilegeUse,
|
|||
|
AuditCategoryDetailedTracking,
|
|||
|
AuditCategoryPolicyChange,
|
|||
|
AuditCategoryAccountManagement,
|
|||
|
AuditCategoryDirectoryServiceAccess,
|
|||
|
AuditCategoryAccountLogon
|
|||
|
|
|||
|
} POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE;
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following defines describe the auditing options for each
|
|||
|
// event type
|
|||
|
//
|
|||
|
|
|||
|
// Leave options specified for this event unchanged
|
|||
|
|
|||
|
#define POLICY_AUDIT_EVENT_UNCHANGED (0x00000000L)
|
|||
|
|
|||
|
// Audit successful occurrences of events of this type
|
|||
|
|
|||
|
#define POLICY_AUDIT_EVENT_SUCCESS (0x00000001L)
|
|||
|
|
|||
|
// Audit failed attempts to cause an event of this type to occur
|
|||
|
|
|||
|
#define POLICY_AUDIT_EVENT_FAILURE (0x00000002L)
|
|||
|
|
|||
|
#define POLICY_AUDIT_EVENT_NONE (0x00000004L)
|
|||
|
|
|||
|
// Mask of valid event auditing options
|
|||
|
|
|||
|
#define POLICY_AUDIT_EVENT_MASK \
|
|||
|
(POLICY_AUDIT_EVENT_SUCCESS | \
|
|||
|
POLICY_AUDIT_EVENT_FAILURE | \
|
|||
|
POLICY_AUDIT_EVENT_UNCHANGED | \
|
|||
|
POLICY_AUDIT_EVENT_NONE)
|
|||
|
|
|||
|
|
|||
|
#ifdef _NTDEF_
|
|||
|
// begin_ntifs
|
|||
|
typedef UNICODE_STRING LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
|
|||
|
typedef STRING LSA_STRING, *PLSA_STRING;
|
|||
|
typedef OBJECT_ATTRIBUTES LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
|
|||
|
// end_ntifs
|
|||
|
#else // _NTDEF_
|
|||
|
|
|||
|
#ifndef IN
|
|||
|
#define IN
|
|||
|
#endif
|
|||
|
|
|||
|
#ifndef OUT
|
|||
|
#define OUT
|
|||
|
#endif
|
|||
|
|
|||
|
#ifndef OPTIONAL
|
|||
|
#define OPTIONAL
|
|||
|
#endif
|
|||
|
|
|||
|
|
|||
|
typedef struct _LSA_UNICODE_STRING {
|
|||
|
USHORT Length;
|
|||
|
USHORT MaximumLength;
|
|||
|
#ifdef MIDL_PASS
|
|||
|
[size_is(MaximumLength/2), length_is(Length/2)]
|
|||
|
#endif // MIDL_PASS
|
|||
|
PWSTR Buffer;
|
|||
|
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
|
|||
|
|
|||
|
typedef struct _LSA_STRING {
|
|||
|
USHORT Length;
|
|||
|
USHORT MaximumLength;
|
|||
|
PCHAR Buffer;
|
|||
|
} LSA_STRING, *PLSA_STRING;
|
|||
|
|
|||
|
typedef struct _LSA_OBJECT_ATTRIBUTES {
|
|||
|
ULONG Length;
|
|||
|
HANDLE RootDirectory;
|
|||
|
PLSA_UNICODE_STRING ObjectName;
|
|||
|
ULONG Attributes;
|
|||
|
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
|
|||
|
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
|
|||
|
} LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
#endif // _NTDEF_
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// Macro for determining whether an API succeeded.
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_SUCCESS(Error) ((LONG)(Error) >= 0)
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
|
|||
|
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Services provided for use by logon processes //
|
|||
|
// //
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
#ifndef _NTLSA_IFS_
|
|||
|
// begin_ntifs
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaRegisterLogonProcess (
|
|||
|
IN PLSA_STRING LogonProcessName,
|
|||
|
OUT PHANDLE LsaHandle,
|
|||
|
OUT PLSA_OPERATIONAL_MODE SecurityMode
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaLogonUser (
|
|||
|
IN HANDLE LsaHandle,
|
|||
|
IN PLSA_STRING OriginName,
|
|||
|
IN SECURITY_LOGON_TYPE LogonType,
|
|||
|
IN ULONG AuthenticationPackage,
|
|||
|
IN PVOID AuthenticationInformation,
|
|||
|
IN ULONG AuthenticationInformationLength,
|
|||
|
IN PTOKEN_GROUPS LocalGroups OPTIONAL,
|
|||
|
IN PTOKEN_SOURCE SourceContext,
|
|||
|
OUT PVOID *ProfileBuffer,
|
|||
|
OUT PULONG ProfileBufferLength,
|
|||
|
OUT PLUID LogonId,
|
|||
|
OUT PHANDLE Token,
|
|||
|
OUT PQUOTA_LIMITS Quotas,
|
|||
|
OUT PNTSTATUS SubStatus
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
// end_ntifs
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaLookupAuthenticationPackage (
|
|||
|
IN HANDLE LsaHandle,
|
|||
|
IN PLSA_STRING PackageName,
|
|||
|
OUT PULONG AuthenticationPackage
|
|||
|
);
|
|||
|
|
|||
|
// begin_ntifs
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaFreeReturnBuffer (
|
|||
|
IN PVOID Buffer
|
|||
|
);
|
|||
|
|
|||
|
// end_ntifs
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaCallAuthenticationPackage (
|
|||
|
IN HANDLE LsaHandle,
|
|||
|
IN ULONG AuthenticationPackage,
|
|||
|
IN PVOID ProtocolSubmitBuffer,
|
|||
|
IN ULONG SubmitBufferLength,
|
|||
|
OUT PVOID *ProtocolReturnBuffer,
|
|||
|
OUT PULONG ReturnBufferLength,
|
|||
|
OUT PNTSTATUS ProtocolStatus
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaDeregisterLogonProcess (
|
|||
|
IN HANDLE LsaHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaConnectUntrusted (
|
|||
|
OUT PHANDLE LsaHandle
|
|||
|
);
|
|||
|
|
|||
|
#endif // _NTLSA_IFS_
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
// begin_ntsecpkg
|
|||
|
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Data types used by authentication packages //
|
|||
|
// //
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
//
|
|||
|
// opaque data type which represents a client request
|
|||
|
//
|
|||
|
|
|||
|
typedef PVOID *PLSA_CLIENT_REQUEST;
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// When a logon of a user is requested, the authentication package
|
|||
|
// is expected to return one of the following structures indicating
|
|||
|
// the contents of a user's token.
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _LSA_TOKEN_INFORMATION_TYPE {
|
|||
|
LsaTokenInformationNull, // Implies LSA_TOKEN_INFORMATION_NULL data type
|
|||
|
LsaTokenInformationV1, // Implies LSA_TOKEN_INFORMATION_V1 data type
|
|||
|
LsaTokenInformationV2 // Implies LSA_TOKEN_INFORMATION_V2 data type
|
|||
|
} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The NULL information is used in cases where a non-authenticated
|
|||
|
// system access is needed. For example, a non-authentication network
|
|||
|
// circuit (such as LAN Manager's null session) can be given NULL
|
|||
|
// information. This will result in an anonymous token being generated
|
|||
|
// for the logon that gives the user no ability to access protected system
|
|||
|
// resources, but does allow access to non-protected system resources.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _LSA_TOKEN_INFORMATION_NULL {
|
|||
|
|
|||
|
//
|
|||
|
// Time at which the security context becomes invalid.
|
|||
|
// Use a value in the distant future if the context
|
|||
|
// never expires.
|
|||
|
//
|
|||
|
|
|||
|
LARGE_INTEGER ExpirationTime;
|
|||
|
|
|||
|
//
|
|||
|
// The SID(s) of groups the user is to be made a member of. This should
|
|||
|
// not include WORLD or other system defined and assigned
|
|||
|
// SIDs. These will be added automatically by LSA.
|
|||
|
//
|
|||
|
// Each SID is expected to be in a separately allocated block
|
|||
|
// of memory. The TOKEN_GROUPS structure is also expected to
|
|||
|
// be in a separately allocated block of memory.
|
|||
|
//
|
|||
|
|
|||
|
PTOKEN_GROUPS Groups;
|
|||
|
|
|||
|
} LSA_TOKEN_INFORMATION_NULL, *PLSA_TOKEN_INFORMATION_NULL;
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The V1 token information structure is superceeded by the V2 token
|
|||
|
// information structure. The V1 strucure should only be used for
|
|||
|
// backwards compatability.
|
|||
|
// This structure contains information that an authentication package
|
|||
|
// can place in a Version 1 NT token object.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _LSA_TOKEN_INFORMATION_V1 {
|
|||
|
|
|||
|
//
|
|||
|
// Time at which the security context becomes invalid.
|
|||
|
// Use a value in the distant future if the context
|
|||
|
// never expires.
|
|||
|
//
|
|||
|
|
|||
|
LARGE_INTEGER ExpirationTime;
|
|||
|
|
|||
|
//
|
|||
|
// The SID of the user logging on. The SID value is in a
|
|||
|
// separately allocated block of memory.
|
|||
|
//
|
|||
|
|
|||
|
TOKEN_USER User;
|
|||
|
|
|||
|
//
|
|||
|
// The SID(s) of groups the user is a member of. This should
|
|||
|
// not include WORLD or other system defined and assigned
|
|||
|
// SIDs. These will be added automatically by LSA.
|
|||
|
//
|
|||
|
// Each SID is expected to be in a separately allocated block
|
|||
|
// of memory. The TOKEN_GROUPS structure is also expected to
|
|||
|
// be in a separately allocated block of memory.
|
|||
|
//
|
|||
|
|
|||
|
PTOKEN_GROUPS Groups;
|
|||
|
|
|||
|
//
|
|||
|
// This field is used to establish the primary group of the user.
|
|||
|
// This value does not have to correspond to one of the SIDs
|
|||
|
// assigned to the user.
|
|||
|
//
|
|||
|
// The SID pointed to by this structure is expected to be in
|
|||
|
// a separately allocated block of memory.
|
|||
|
//
|
|||
|
// This field is mandatory and must be filled in.
|
|||
|
//
|
|||
|
|
|||
|
TOKEN_PRIMARY_GROUP PrimaryGroup;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The privileges the user is assigned. This list of privileges
|
|||
|
// will be augmented or over-ridden by any local security policy
|
|||
|
// assigned privileges.
|
|||
|
//
|
|||
|
// Each privilege is expected to be in a separately allocated
|
|||
|
// block of memory. The TOKEN_PRIVILEGES structure is also
|
|||
|
// expected to be in a separately allocated block of memory.
|
|||
|
//
|
|||
|
// If there are no privileges to assign to the user, this field
|
|||
|
// may be set to NULL.
|
|||
|
//
|
|||
|
|
|||
|
PTOKEN_PRIVILEGES Privileges;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// This field may be used to establish an explicit default
|
|||
|
// owner. Normally, the user ID is used as the default owner.
|
|||
|
// If another value is desired, it must be specified here.
|
|||
|
//
|
|||
|
// The Owner.Sid field may be set to NULL to indicate there is no
|
|||
|
// alternate default owner value.
|
|||
|
//
|
|||
|
|
|||
|
TOKEN_OWNER Owner;
|
|||
|
|
|||
|
//
|
|||
|
// This field may be used to establish a default
|
|||
|
// protection for the user. If no value is provided, then
|
|||
|
// a default protection that grants everyone all access will
|
|||
|
// be established.
|
|||
|
//
|
|||
|
// The DefaultDacl.DefaultDacl field may be set to NULL to indicate
|
|||
|
// there is no default protection.
|
|||
|
//
|
|||
|
|
|||
|
TOKEN_DEFAULT_DACL DefaultDacl;
|
|||
|
|
|||
|
} LSA_TOKEN_INFORMATION_V1, *PLSA_TOKEN_INFORMATION_V1;
|
|||
|
|
|||
|
//
|
|||
|
// The V2 information is used in most cases of logon. The structure is identical
|
|||
|
// to the V1 token information structure, with the exception that the memory allocation
|
|||
|
// is handled differently. The LSA_TOKEN_INFORMATION_V2 structure is intended to be
|
|||
|
// allocated monolithiclly, with the privileges, DACL, sids, and group array either part of
|
|||
|
// same allocation, or allocated and freed externally.
|
|||
|
//
|
|||
|
|
|||
|
typedef LSA_TOKEN_INFORMATION_V1 LSA_TOKEN_INFORMATION_V2, *PLSA_TOKEN_INFORMATION_V2;
|
|||
|
|
|||
|
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Interface definitions available for use by authentication packages //
|
|||
|
// //
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_CREATE_LOGON_SESSION) (
|
|||
|
IN PLUID LogonId
|
|||
|
);
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_DELETE_LOGON_SESSION) (
|
|||
|
IN PLUID LogonId
|
|||
|
);
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_ADD_CREDENTIAL) (
|
|||
|
IN PLUID LogonId,
|
|||
|
IN ULONG AuthenticationPackage,
|
|||
|
IN PLSA_STRING PrimaryKeyValue,
|
|||
|
IN PLSA_STRING Credentials
|
|||
|
);
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_GET_CREDENTIALS) (
|
|||
|
IN PLUID LogonId,
|
|||
|
IN ULONG AuthenticationPackage,
|
|||
|
IN OUT PULONG QueryContext,
|
|||
|
IN BOOLEAN RetrieveAllCredentials,
|
|||
|
IN PLSA_STRING PrimaryKeyValue,
|
|||
|
OUT PULONG PrimaryKeyLength,
|
|||
|
IN PLSA_STRING Credentials
|
|||
|
);
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_DELETE_CREDENTIAL) (
|
|||
|
IN PLUID LogonId,
|
|||
|
IN ULONG AuthenticationPackage,
|
|||
|
IN PLSA_STRING PrimaryKeyValue
|
|||
|
);
|
|||
|
|
|||
|
typedef PVOID
|
|||
|
(NTAPI LSA_ALLOCATE_LSA_HEAP) (
|
|||
|
IN ULONG Length
|
|||
|
);
|
|||
|
|
|||
|
typedef VOID
|
|||
|
(NTAPI LSA_FREE_LSA_HEAP) (
|
|||
|
IN PVOID Base
|
|||
|
);
|
|||
|
|
|||
|
typedef PVOID
|
|||
|
(NTAPI LSA_ALLOCATE_PRIVATE_HEAP) (
|
|||
|
IN SIZE_T Length
|
|||
|
);
|
|||
|
|
|||
|
typedef VOID
|
|||
|
(NTAPI LSA_FREE_PRIVATE_HEAP) (
|
|||
|
IN PVOID Base
|
|||
|
);
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_ALLOCATE_CLIENT_BUFFER) (
|
|||
|
IN PLSA_CLIENT_REQUEST ClientRequest,
|
|||
|
IN ULONG LengthRequired,
|
|||
|
OUT PVOID *ClientBaseAddress
|
|||
|
);
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_FREE_CLIENT_BUFFER) (
|
|||
|
IN PLSA_CLIENT_REQUEST ClientRequest,
|
|||
|
IN PVOID ClientBaseAddress
|
|||
|
);
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_COPY_TO_CLIENT_BUFFER) (
|
|||
|
IN PLSA_CLIENT_REQUEST ClientRequest,
|
|||
|
IN ULONG Length,
|
|||
|
IN PVOID ClientBaseAddress,
|
|||
|
IN PVOID BufferToCopy
|
|||
|
);
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_COPY_FROM_CLIENT_BUFFER) (
|
|||
|
IN PLSA_CLIENT_REQUEST ClientRequest,
|
|||
|
IN ULONG Length,
|
|||
|
IN PVOID BufferToCopy,
|
|||
|
IN PVOID ClientBaseAddress
|
|||
|
);
|
|||
|
|
|||
|
typedef LSA_CREATE_LOGON_SESSION * PLSA_CREATE_LOGON_SESSION ;
|
|||
|
typedef LSA_DELETE_LOGON_SESSION * PLSA_DELETE_LOGON_SESSION ;
|
|||
|
typedef LSA_ADD_CREDENTIAL * PLSA_ADD_CREDENTIAL ;
|
|||
|
typedef LSA_GET_CREDENTIALS * PLSA_GET_CREDENTIALS ;
|
|||
|
typedef LSA_DELETE_CREDENTIAL * PLSA_DELETE_CREDENTIAL ;
|
|||
|
typedef LSA_ALLOCATE_LSA_HEAP * PLSA_ALLOCATE_LSA_HEAP ;
|
|||
|
typedef LSA_FREE_LSA_HEAP * PLSA_FREE_LSA_HEAP ;
|
|||
|
typedef LSA_ALLOCATE_PRIVATE_HEAP * PLSA_ALLOCATE_PRIVATE_HEAP ;
|
|||
|
typedef LSA_FREE_PRIVATE_HEAP * PLSA_FREE_PRIVATE_HEAP ;
|
|||
|
typedef LSA_ALLOCATE_CLIENT_BUFFER * PLSA_ALLOCATE_CLIENT_BUFFER ;
|
|||
|
typedef LSA_FREE_CLIENT_BUFFER * PLSA_FREE_CLIENT_BUFFER ;
|
|||
|
typedef LSA_COPY_TO_CLIENT_BUFFER * PLSA_COPY_TO_CLIENT_BUFFER ;
|
|||
|
typedef LSA_COPY_FROM_CLIENT_BUFFER * PLSA_COPY_FROM_CLIENT_BUFFER ;
|
|||
|
|
|||
|
//
|
|||
|
// The dispatch table of LSA services which are available to
|
|||
|
// authentication packages.
|
|||
|
//
|
|||
|
typedef struct _LSA_DISPATCH_TABLE {
|
|||
|
PLSA_CREATE_LOGON_SESSION CreateLogonSession;
|
|||
|
PLSA_DELETE_LOGON_SESSION DeleteLogonSession;
|
|||
|
PLSA_ADD_CREDENTIAL AddCredential;
|
|||
|
PLSA_GET_CREDENTIALS GetCredentials;
|
|||
|
PLSA_DELETE_CREDENTIAL DeleteCredential;
|
|||
|
PLSA_ALLOCATE_LSA_HEAP AllocateLsaHeap;
|
|||
|
PLSA_FREE_LSA_HEAP FreeLsaHeap;
|
|||
|
PLSA_ALLOCATE_CLIENT_BUFFER AllocateClientBuffer;
|
|||
|
PLSA_FREE_CLIENT_BUFFER FreeClientBuffer;
|
|||
|
PLSA_COPY_TO_CLIENT_BUFFER CopyToClientBuffer;
|
|||
|
PLSA_COPY_FROM_CLIENT_BUFFER CopyFromClientBuffer;
|
|||
|
} LSA_DISPATCH_TABLE, *PLSA_DISPATCH_TABLE;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Interface definitions of services provided by authentication packages //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Routine names
|
|||
|
//
|
|||
|
// The routines provided by the DLL must be assigned the following names
|
|||
|
// so that their addresses can be retrieved when the DLL is loaded.
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_AP_NAME_INITIALIZE_PACKAGE "LsaApInitializePackage\0"
|
|||
|
#define LSA_AP_NAME_LOGON_USER "LsaApLogonUser\0"
|
|||
|
#define LSA_AP_NAME_LOGON_USER_EX "LsaApLogonUserEx\0"
|
|||
|
#define LSA_AP_NAME_CALL_PACKAGE "LsaApCallPackage\0"
|
|||
|
#define LSA_AP_NAME_LOGON_TERMINATED "LsaApLogonTerminated\0"
|
|||
|
#define LSA_AP_NAME_CALL_PACKAGE_UNTRUSTED "LsaApCallPackageUntrusted\0"
|
|||
|
#define LSA_AP_NAME_CALL_PACKAGE_PASSTHROUGH "LsaApCallPackagePassthrough\0"
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Routine templates
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_AP_INITIALIZE_PACKAGE) (
|
|||
|
IN ULONG AuthenticationPackageId,
|
|||
|
IN PLSA_DISPATCH_TABLE LsaDispatchTable,
|
|||
|
IN PLSA_STRING Database OPTIONAL,
|
|||
|
IN PLSA_STRING Confidentiality OPTIONAL,
|
|||
|
OUT PLSA_STRING *AuthenticationPackageName
|
|||
|
);
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_AP_LOGON_USER) (
|
|||
|
IN PLSA_CLIENT_REQUEST ClientRequest,
|
|||
|
IN SECURITY_LOGON_TYPE LogonType,
|
|||
|
IN PVOID AuthenticationInformation,
|
|||
|
IN PVOID ClientAuthenticationBase,
|
|||
|
IN ULONG AuthenticationInformationLength,
|
|||
|
OUT PVOID *ProfileBuffer,
|
|||
|
OUT PULONG ProfileBufferLength,
|
|||
|
OUT PLUID LogonId,
|
|||
|
OUT PNTSTATUS SubStatus,
|
|||
|
OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
|
|||
|
OUT PVOID *TokenInformation,
|
|||
|
OUT PLSA_UNICODE_STRING *AccountName,
|
|||
|
OUT PLSA_UNICODE_STRING *AuthenticatingAuthority
|
|||
|
);
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_AP_LOGON_USER_EX) (
|
|||
|
IN PLSA_CLIENT_REQUEST ClientRequest,
|
|||
|
IN SECURITY_LOGON_TYPE LogonType,
|
|||
|
IN PVOID AuthenticationInformation,
|
|||
|
IN PVOID ClientAuthenticationBase,
|
|||
|
IN ULONG AuthenticationInformationLength,
|
|||
|
OUT PVOID *ProfileBuffer,
|
|||
|
OUT PULONG ProfileBufferLength,
|
|||
|
OUT PLUID LogonId,
|
|||
|
OUT PNTSTATUS SubStatus,
|
|||
|
OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
|
|||
|
OUT PVOID *TokenInformation,
|
|||
|
OUT PUNICODE_STRING *AccountName,
|
|||
|
OUT PUNICODE_STRING *AuthenticatingAuthority,
|
|||
|
OUT PUNICODE_STRING *MachineName
|
|||
|
);
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_AP_CALL_PACKAGE) (
|
|||
|
IN PLSA_CLIENT_REQUEST ClientRequest,
|
|||
|
IN PVOID ProtocolSubmitBuffer,
|
|||
|
IN PVOID ClientBufferBase,
|
|||
|
IN ULONG SubmitBufferLength,
|
|||
|
OUT PVOID *ProtocolReturnBuffer,
|
|||
|
OUT PULONG ReturnBufferLength,
|
|||
|
OUT PNTSTATUS ProtocolStatus
|
|||
|
);
|
|||
|
|
|||
|
typedef NTSTATUS
|
|||
|
(NTAPI LSA_AP_CALL_PACKAGE_PASSTHROUGH) (
|
|||
|
IN PLSA_CLIENT_REQUEST ClientRequest,
|
|||
|
IN PVOID ProtocolSubmitBuffer,
|
|||
|
IN PVOID ClientBufferBase,
|
|||
|
IN ULONG SubmitBufferLength,
|
|||
|
OUT PVOID *ProtocolReturnBuffer,
|
|||
|
OUT PULONG ReturnBufferLength,
|
|||
|
OUT PNTSTATUS ProtocolStatus
|
|||
|
);
|
|||
|
|
|||
|
typedef VOID
|
|||
|
(NTAPI LSA_AP_LOGON_TERMINATED) (
|
|||
|
IN PLUID LogonId
|
|||
|
);
|
|||
|
|
|||
|
typedef LSA_AP_CALL_PACKAGE LSA_AP_CALL_PACKAGE_UNTRUSTED;
|
|||
|
|
|||
|
typedef LSA_AP_INITIALIZE_PACKAGE * PLSA_AP_INITIALIZE_PACKAGE ;
|
|||
|
typedef LSA_AP_LOGON_USER * PLSA_AP_LOGON_USER ;
|
|||
|
typedef LSA_AP_LOGON_USER_EX * PLSA_AP_LOGON_USER_EX ;
|
|||
|
typedef LSA_AP_CALL_PACKAGE * PLSA_AP_CALL_PACKAGE ;
|
|||
|
typedef LSA_AP_CALL_PACKAGE_PASSTHROUGH * PLSA_AP_CALL_PACKAGE_PASSTHROUGH ;
|
|||
|
typedef LSA_AP_LOGON_TERMINATED * PLSA_AP_LOGON_TERMINATED ;
|
|||
|
typedef LSA_AP_CALL_PACKAGE_UNTRUSTED * PLSA_AP_CALL_PACKAGE_UNTRUSTED ;
|
|||
|
|
|||
|
// end_ntsecpkg
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Local Security Policy Administration API datatypes and defines //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
//
|
|||
|
// Access types for the Policy object
|
|||
|
//
|
|||
|
|
|||
|
#define POLICY_VIEW_LOCAL_INFORMATION 0x00000001L
|
|||
|
#define POLICY_VIEW_AUDIT_INFORMATION 0x00000002L
|
|||
|
#define POLICY_GET_PRIVATE_INFORMATION 0x00000004L
|
|||
|
#define POLICY_TRUST_ADMIN 0x00000008L
|
|||
|
#define POLICY_CREATE_ACCOUNT 0x00000010L
|
|||
|
#define POLICY_CREATE_SECRET 0x00000020L
|
|||
|
#define POLICY_CREATE_PRIVILEGE 0x00000040L
|
|||
|
#define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080L
|
|||
|
#define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100L
|
|||
|
#define POLICY_AUDIT_LOG_ADMIN 0x00000200L
|
|||
|
#define POLICY_SERVER_ADMIN 0x00000400L
|
|||
|
#define POLICY_LOOKUP_NAMES 0x00000800L
|
|||
|
#define POLICY_NOTIFICATION 0x00001000L
|
|||
|
|
|||
|
#define POLICY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
|
|||
|
POLICY_VIEW_LOCAL_INFORMATION |\
|
|||
|
POLICY_VIEW_AUDIT_INFORMATION |\
|
|||
|
POLICY_GET_PRIVATE_INFORMATION |\
|
|||
|
POLICY_TRUST_ADMIN |\
|
|||
|
POLICY_CREATE_ACCOUNT |\
|
|||
|
POLICY_CREATE_SECRET |\
|
|||
|
POLICY_CREATE_PRIVILEGE |\
|
|||
|
POLICY_SET_DEFAULT_QUOTA_LIMITS |\
|
|||
|
POLICY_SET_AUDIT_REQUIREMENTS |\
|
|||
|
POLICY_AUDIT_LOG_ADMIN |\
|
|||
|
POLICY_SERVER_ADMIN |\
|
|||
|
POLICY_LOOKUP_NAMES)
|
|||
|
|
|||
|
|
|||
|
#define POLICY_READ (STANDARD_RIGHTS_READ |\
|
|||
|
POLICY_VIEW_AUDIT_INFORMATION |\
|
|||
|
POLICY_GET_PRIVATE_INFORMATION)
|
|||
|
|
|||
|
#define POLICY_WRITE (STANDARD_RIGHTS_WRITE |\
|
|||
|
POLICY_TRUST_ADMIN |\
|
|||
|
POLICY_CREATE_ACCOUNT |\
|
|||
|
POLICY_CREATE_SECRET |\
|
|||
|
POLICY_CREATE_PRIVILEGE |\
|
|||
|
POLICY_SET_DEFAULT_QUOTA_LIMITS |\
|
|||
|
POLICY_SET_AUDIT_REQUIREMENTS |\
|
|||
|
POLICY_AUDIT_LOG_ADMIN |\
|
|||
|
POLICY_SERVER_ADMIN)
|
|||
|
|
|||
|
#define POLICY_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
|
|||
|
POLICY_VIEW_LOCAL_INFORMATION |\
|
|||
|
POLICY_LOOKUP_NAMES)
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Policy object specific data types.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// The following data type is used to identify a domain
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _LSA_TRUST_INFORMATION {
|
|||
|
|
|||
|
LSA_UNICODE_STRING Name;
|
|||
|
PSID Sid;
|
|||
|
|
|||
|
} LSA_TRUST_INFORMATION, *PLSA_TRUST_INFORMATION;
|
|||
|
|
|||
|
// where members have the following usage:
|
|||
|
//
|
|||
|
// Name - The name of the domain.
|
|||
|
//
|
|||
|
// Sid - A pointer to the Sid of the Domain
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// The following data type is used in name and SID lookup services to
|
|||
|
// describe the domains referenced in the lookup operation.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _LSA_REFERENCED_DOMAIN_LIST {
|
|||
|
|
|||
|
ULONG Entries;
|
|||
|
PLSA_TRUST_INFORMATION Domains;
|
|||
|
|
|||
|
} LSA_REFERENCED_DOMAIN_LIST, *PLSA_REFERENCED_DOMAIN_LIST;
|
|||
|
|
|||
|
// where members have the following usage:
|
|||
|
//
|
|||
|
// Entries - Is a count of the number of domains described in the
|
|||
|
// Domains array.
|
|||
|
//
|
|||
|
// Domains - Is a pointer to an array of Entries LSA_TRUST_INFORMATION data
|
|||
|
// structures.
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following data type is used in name to SID lookup services to describe
|
|||
|
// the domains referenced in the lookup operation.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _LSA_TRANSLATED_SID {
|
|||
|
|
|||
|
SID_NAME_USE Use;
|
|||
|
ULONG RelativeId;
|
|||
|
LONG DomainIndex;
|
|||
|
|
|||
|
} LSA_TRANSLATED_SID, *PLSA_TRANSLATED_SID;
|
|||
|
|
|||
|
// where members have the following usage:
|
|||
|
//
|
|||
|
// Use - identifies the use of the SID. If this value is SidUnknown or
|
|||
|
// SidInvalid, then the remainder of the record is not set and
|
|||
|
// should be ignored.
|
|||
|
//
|
|||
|
// RelativeId - Contains the relative ID of the translated SID. The
|
|||
|
// remainder of the SID (the prefix) is obtained using the
|
|||
|
// DomainIndex field.
|
|||
|
//
|
|||
|
// DomainIndex - Is the index of an entry in a related
|
|||
|
// LSA_REFERENCED_DOMAIN_LIST data structure describing the
|
|||
|
// domain in which the account was found.
|
|||
|
//
|
|||
|
// If there is no corresponding reference domain for an entry, then
|
|||
|
// this field will contain a negative value.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _LSA_TRANSLATED_SID2 {
|
|||
|
|
|||
|
SID_NAME_USE Use;
|
|||
|
PSID Sid;
|
|||
|
LONG DomainIndex;
|
|||
|
ULONG Flags;
|
|||
|
|
|||
|
} LSA_TRANSLATED_SID2, *PLSA_TRANSLATED_SID2;
|
|||
|
|
|||
|
// where members have the following usage:
|
|||
|
//
|
|||
|
// Use - identifies the use of the SID. If this value is SidUnknown or
|
|||
|
// SidInvalid, then the remainder of the record is not set and
|
|||
|
// should be ignored.
|
|||
|
//
|
|||
|
// Sid - Contains the complete Sid of the tranlated SID
|
|||
|
//
|
|||
|
// DomainIndex - Is the index of an entry in a related
|
|||
|
// LSA_REFERENCED_DOMAIN_LIST data structure describing the
|
|||
|
// domain in which the account was found.
|
|||
|
//
|
|||
|
// If there is no corresponding reference domain for an entry, then
|
|||
|
// this field will contain a negative value.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// The following data type is used in SID to name lookup services to
|
|||
|
// describe the domains referenced in the lookup operation.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _LSA_TRANSLATED_NAME {
|
|||
|
|
|||
|
SID_NAME_USE Use;
|
|||
|
LSA_UNICODE_STRING Name;
|
|||
|
LONG DomainIndex;
|
|||
|
|
|||
|
} LSA_TRANSLATED_NAME, *PLSA_TRANSLATED_NAME;
|
|||
|
|
|||
|
// where the members have the following usage:
|
|||
|
//
|
|||
|
// Use - Identifies the use of the name. If this value is SidUnknown
|
|||
|
// or SidInvalid, then the remainder of the record is not set and
|
|||
|
// should be ignored. If this value is SidWellKnownGroup then the
|
|||
|
// Name field is invalid, but the DomainIndex field is not.
|
|||
|
//
|
|||
|
// Name - Contains the isolated name of the translated SID.
|
|||
|
//
|
|||
|
// DomainIndex - Is the index of an entry in a related
|
|||
|
// LSA_REFERENCED_DOMAIN_LIST data structure describing the domain
|
|||
|
// in which the account was found.
|
|||
|
//
|
|||
|
// If there is no corresponding reference domain for an entry, then
|
|||
|
// this field will contain a negative value.
|
|||
|
//
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// The following data type specifies the ways in which a user or member of
|
|||
|
// an alias or group may be allowed to access the system. An account may
|
|||
|
// be granted zero or more of these types of access to the system.
|
|||
|
//
|
|||
|
// The types of access are:
|
|||
|
//
|
|||
|
// Interactive - The user or alias/group member may interactively logon
|
|||
|
// to the system.
|
|||
|
//
|
|||
|
// Network - The user or alias/group member may access the system via
|
|||
|
// the network (e.g., through shares).
|
|||
|
//
|
|||
|
// Service - The user or alias may be activated as a service on the
|
|||
|
// system.
|
|||
|
//
|
|||
|
|
|||
|
typedef ULONG POLICY_SYSTEM_ACCESS_MODE, *PPOLICY_SYSTEM_ACCESS_MODE;
|
|||
|
|
|||
|
#define POLICY_MODE_INTERACTIVE SECURITY_ACCESS_INTERACTIVE_LOGON
|
|||
|
#define POLICY_MODE_NETWORK SECURITY_ACCESS_NETWORK_LOGON
|
|||
|
#define POLICY_MODE_BATCH SECURITY_ACCESS_BATCH_LOGON
|
|||
|
#define POLICY_MODE_SERVICE SECURITY_ACCESS_SERVICE_LOGON
|
|||
|
#define POLICY_MODE_PROXY SECURITY_ACCESS_PROXY_LOGON
|
|||
|
#define POLICY_MODE_DENY_INTERACTIVE SECURITY_ACCESS_DENY_INTERACTIVE_LOGON
|
|||
|
#define POLICY_MODE_DENY_NETWORK SECURITY_ACCESS_DENY_NETWORK_LOGON
|
|||
|
#define POLICY_MODE_DENY_BATCH SECURITY_ACCESS_DENY_BATCH_LOGON
|
|||
|
#define POLICY_MODE_DENY_SERVICE SECURITY_ACCESS_DENY_SERVICE_LOGON
|
|||
|
#define POLICY_MODE_REMOTE_INTERACTIVE SECURITY_ACCESS_REMOTE_INTERACTIVE_LOGON
|
|||
|
#define POLICY_MODE_DENY_REMOTE_INTERACTIVE SECURITY_ACCESS_DENY_REMOTE_INTERACTIVE_LOGON
|
|||
|
|
|||
|
#define POLICY_MODE_ALL (POLICY_MODE_INTERACTIVE | \
|
|||
|
POLICY_MODE_NETWORK | \
|
|||
|
POLICY_MODE_BATCH | \
|
|||
|
POLICY_MODE_SERVICE | \
|
|||
|
POLICY_MODE_PROXY | \
|
|||
|
POLICY_MODE_DENY_INTERACTIVE | \
|
|||
|
POLICY_MODE_DENY_NETWORK | \
|
|||
|
SECURITY_ACCESS_DENY_BATCH_LOGON | \
|
|||
|
SECURITY_ACCESS_DENY_SERVICE_LOGON | \
|
|||
|
POLICY_MODE_REMOTE_INTERACTIVE | \
|
|||
|
POLICY_MODE_DENY_REMOTE_INTERACTIVE )
|
|||
|
|
|||
|
//
|
|||
|
// The following is the bits allowed in NT4.0
|
|||
|
//
|
|||
|
#define POLICY_MODE_ALL_NT4 (POLICY_MODE_INTERACTIVE | \
|
|||
|
POLICY_MODE_NETWORK | \
|
|||
|
POLICY_MODE_BATCH | \
|
|||
|
POLICY_MODE_SERVICE | \
|
|||
|
POLICY_MODE_PROXY )
|
|||
|
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// The following data type is used to represent the role of the LSA
|
|||
|
// server (primary or backup).
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _POLICY_LSA_SERVER_ROLE {
|
|||
|
|
|||
|
PolicyServerRoleBackup = 2,
|
|||
|
PolicyServerRolePrimary
|
|||
|
|
|||
|
} POLICY_LSA_SERVER_ROLE, *PPOLICY_LSA_SERVER_ROLE;
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following data type is used to represent the state of the LSA
|
|||
|
// server (enabled or disabled). Some operations may only be performed on
|
|||
|
// an enabled LSA server.
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _POLICY_SERVER_ENABLE_STATE {
|
|||
|
|
|||
|
PolicyServerEnabled = 2,
|
|||
|
PolicyServerDisabled
|
|||
|
|
|||
|
} POLICY_SERVER_ENABLE_STATE, *PPOLICY_SERVER_ENABLE_STATE;
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following data type is used to specify the auditing options for
|
|||
|
// an Audit Event Type.
|
|||
|
//
|
|||
|
|
|||
|
typedef ULONG POLICY_AUDIT_EVENT_OPTIONS, *PPOLICY_AUDIT_EVENT_OPTIONS;
|
|||
|
|
|||
|
// where the following flags can be set:
|
|||
|
//
|
|||
|
// POLICY_AUDIT_EVENT_UNCHANGED - Leave existing auditing options
|
|||
|
// unchanged for events of this type. This flag is only used for
|
|||
|
// set operations. If this flag is set, then all other flags
|
|||
|
// are ignored.
|
|||
|
//
|
|||
|
// POLICY_AUDIT_EVENT_NONE - Cancel all auditing options for events
|
|||
|
// of this type. If this flag is set, the success/failure flags
|
|||
|
// are ignored.
|
|||
|
//
|
|||
|
// POLICY_AUDIT_EVENT_SUCCESS - When auditing is enabled, audit all
|
|||
|
// successful occurrences of events of the given type.
|
|||
|
//
|
|||
|
// POLICY_AUDIT_EVENT_FAILURE - When auditing is enabled, audit all
|
|||
|
// unsuccessful occurrences of events of the given type.
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// The following data type is used to return information about privileges
|
|||
|
// defined on a system.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_PRIVILEGE_DEFINITION {
|
|||
|
|
|||
|
LSA_UNICODE_STRING Name;
|
|||
|
LUID LocalValue;
|
|||
|
|
|||
|
} POLICY_PRIVILEGE_DEFINITION, *PPOLICY_PRIVILEGE_DEFINITION;
|
|||
|
|
|||
|
// where the members have the following usage:
|
|||
|
//
|
|||
|
// Name - Is the architected name of the privilege. This is the
|
|||
|
// primary key of the privilege and the only value that is
|
|||
|
// transportable between systems.
|
|||
|
//
|
|||
|
// Luid - is a LUID value assigned locally for efficient representation
|
|||
|
// of the privilege. Ths value is meaningful only on the system it
|
|||
|
// was assigned on and is not transportable in any way.
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// System Flags for LsaLookupNames2
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// Note the flags start backward so that public values
|
|||
|
// don't have gaps.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// This flag controls LsaLookupNames2 such that isolated names, including
|
|||
|
// UPN's are not searched for off the machine. Composite names
|
|||
|
// (domain\username) are still sent off machine if necessary.
|
|||
|
//
|
|||
|
#define LSA_LOOKUP_ISOLATED_AS_LOCAL 0x80000000
|
|||
|
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// The following data type defines the classes of Policy Information
|
|||
|
// that may be queried/set.
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _POLICY_INFORMATION_CLASS {
|
|||
|
|
|||
|
PolicyAuditLogInformation = 1,
|
|||
|
PolicyAuditEventsInformation,
|
|||
|
PolicyPrimaryDomainInformation,
|
|||
|
PolicyPdAccountInformation,
|
|||
|
PolicyAccountDomainInformation,
|
|||
|
PolicyLsaServerRoleInformation,
|
|||
|
PolicyReplicaSourceInformation,
|
|||
|
PolicyDefaultQuotaInformation,
|
|||
|
PolicyModificationInformation,
|
|||
|
PolicyAuditFullSetInformation,
|
|||
|
PolicyAuditFullQueryInformation,
|
|||
|
PolicyDnsDomainInformation,
|
|||
|
PolicyDnsDomainInformationInt
|
|||
|
|
|||
|
} POLICY_INFORMATION_CLASS, *PPOLICY_INFORMATION_CLASS;
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following data type corresponds to the PolicyAuditLogInformation
|
|||
|
// information class. It is used to represent information relating to
|
|||
|
// the Audit Log.
|
|||
|
//
|
|||
|
// This structure may be used in both query and set operations. However,
|
|||
|
// when used in set operations, some fields are ignored.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_AUDIT_LOG_INFO {
|
|||
|
|
|||
|
ULONG AuditLogPercentFull;
|
|||
|
ULONG MaximumLogSize;
|
|||
|
LARGE_INTEGER AuditRetentionPeriod;
|
|||
|
BOOLEAN AuditLogFullShutdownInProgress;
|
|||
|
LARGE_INTEGER TimeToShutdown;
|
|||
|
ULONG NextAuditRecordId;
|
|||
|
|
|||
|
} POLICY_AUDIT_LOG_INFO, *PPOLICY_AUDIT_LOG_INFO;
|
|||
|
|
|||
|
// where the members have the following usage:
|
|||
|
//
|
|||
|
// AuditLogPercentFull - Indicates the percentage of the Audit Log
|
|||
|
// currently being used.
|
|||
|
//
|
|||
|
// MaximumLogSize - Specifies the maximum size of the Audit Log in
|
|||
|
// kilobytes.
|
|||
|
//
|
|||
|
// AuditRetentionPeriod - Indicates the length of time that Audit
|
|||
|
// Records are to be retained. Audit Records are discardable
|
|||
|
// if their timestamp predates the current time minus the
|
|||
|
// retention period.
|
|||
|
//
|
|||
|
// AuditLogFullShutdownInProgress - Indicates whether or not a system
|
|||
|
// shutdown is being initiated due to the security Audit Log becoming
|
|||
|
// full. This condition will only occur if the system is configured
|
|||
|
// to shutdown when the log becomes full.
|
|||
|
//
|
|||
|
// TRUE indicates that a shutdown is in progress
|
|||
|
// FALSE indicates that a shutdown is not in progress.
|
|||
|
//
|
|||
|
// Once a shutdown has been initiated, this flag will be set to
|
|||
|
// TRUE. If an administrator is able to currect the situation
|
|||
|
// before the shutdown becomes irreversible, then this flag will
|
|||
|
// be reset to false.
|
|||
|
//
|
|||
|
// This field is ignored for set operations.
|
|||
|
//
|
|||
|
// TimeToShutdown - If the AuditLogFullShutdownInProgress flag is set,
|
|||
|
// then this field contains the time left before the shutdown
|
|||
|
// becomes irreversible.
|
|||
|
//
|
|||
|
// This field is ignored for set operations.
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following data type corresponds to the PolicyAuditEventsInformation
|
|||
|
// information class. It is used to represent information relating to
|
|||
|
// the audit requirements.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_AUDIT_EVENTS_INFO {
|
|||
|
|
|||
|
BOOLEAN AuditingMode;
|
|||
|
PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
|
|||
|
ULONG MaximumAuditEventCount;
|
|||
|
|
|||
|
} POLICY_AUDIT_EVENTS_INFO, *PPOLICY_AUDIT_EVENTS_INFO;
|
|||
|
|
|||
|
// where the members have the following usage:
|
|||
|
//
|
|||
|
// AuditingMode - A Boolean variable specifying the Auditing Mode value.
|
|||
|
// This value is interpreted as follows:
|
|||
|
//
|
|||
|
// TRUE - Auditing is to be enabled (set operations) or is enabled
|
|||
|
// (query operations). Audit Records will be generated according
|
|||
|
// to the Event Auditing Options in effect (see the
|
|||
|
// EventAuditingOptions field.
|
|||
|
//
|
|||
|
// FALSE - Auditing is to be disabled (set operations) or is
|
|||
|
// disabled (query operations). No Audit Records will be
|
|||
|
// generated. Note that for set operations the Event Auditing
|
|||
|
// Options in effect will still be updated as specified by the
|
|||
|
// EventAuditingOptions field whether Auditing is enabled or
|
|||
|
// disabled.
|
|||
|
//
|
|||
|
// EventAuditingOptions - Pointer to an array of Auditing Options
|
|||
|
// indexed by Audit Event Type.
|
|||
|
//
|
|||
|
// MaximumAuditEventCount - Specifiesa count of the number of Audit
|
|||
|
// Event Types specified by the EventAuditingOptions parameter. If
|
|||
|
// this count is less than the number of Audit Event Types supported
|
|||
|
// by the system, the Auditing Options for Event Types with IDs
|
|||
|
// higher than (MaximumAuditEventCount + 1) are left unchanged.
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following structure corresponds to the PolicyAccountDomainInformation
|
|||
|
// information class.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_ACCOUNT_DOMAIN_INFO {
|
|||
|
|
|||
|
LSA_UNICODE_STRING DomainName;
|
|||
|
PSID DomainSid;
|
|||
|
|
|||
|
} POLICY_ACCOUNT_DOMAIN_INFO, *PPOLICY_ACCOUNT_DOMAIN_INFO;
|
|||
|
|
|||
|
// where the members have the following usage:
|
|||
|
//
|
|||
|
// DomainName - Is the name of the domain
|
|||
|
//
|
|||
|
// DomainSid - Is the Sid of the domain
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following structure corresponds to the PolicyPrimaryDomainInformation
|
|||
|
// information class.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_PRIMARY_DOMAIN_INFO {
|
|||
|
|
|||
|
LSA_UNICODE_STRING Name;
|
|||
|
PSID Sid;
|
|||
|
|
|||
|
} POLICY_PRIMARY_DOMAIN_INFO, *PPOLICY_PRIMARY_DOMAIN_INFO;
|
|||
|
|
|||
|
// where the members have the following usage:
|
|||
|
//
|
|||
|
// Name - Is the name of the domain
|
|||
|
//
|
|||
|
// Sid - Is the Sid of the domain
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following structure corresponds to the PolicyDnsDomainInformation
|
|||
|
// information class
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_DNS_DOMAIN_INFO
|
|||
|
{
|
|||
|
LSA_UNICODE_STRING Name;
|
|||
|
LSA_UNICODE_STRING DnsDomainName;
|
|||
|
LSA_UNICODE_STRING DnsForestName;
|
|||
|
GUID DomainGuid;
|
|||
|
PSID Sid;
|
|||
|
|
|||
|
} POLICY_DNS_DOMAIN_INFO, *PPOLICY_DNS_DOMAIN_INFO;
|
|||
|
|
|||
|
// where the members have the following usage:
|
|||
|
//
|
|||
|
// Name - Is the name of the Domain
|
|||
|
//
|
|||
|
// DnsDomainName - Is the DNS name of the domain
|
|||
|
//
|
|||
|
// DnsForestName - Is the DNS forest name of the domain
|
|||
|
//
|
|||
|
// DomainGuid - Is the GUID of the domain
|
|||
|
//
|
|||
|
// Sid - Is the Sid of the domain
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following structure corresponds to the PolicyPdAccountInformation
|
|||
|
// information class. This structure may be used in Query operations
|
|||
|
// only.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_PD_ACCOUNT_INFO {
|
|||
|
|
|||
|
LSA_UNICODE_STRING Name;
|
|||
|
|
|||
|
} POLICY_PD_ACCOUNT_INFO, *PPOLICY_PD_ACCOUNT_INFO;
|
|||
|
|
|||
|
// where the members have the following usage:
|
|||
|
//
|
|||
|
// Name - Is the name of an account in the domain that should be used
|
|||
|
// for authentication and name/ID lookup requests.
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following structure corresponds to the PolicyLsaServerRoleInformation
|
|||
|
// information class.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_LSA_SERVER_ROLE_INFO {
|
|||
|
|
|||
|
POLICY_LSA_SERVER_ROLE LsaServerRole;
|
|||
|
|
|||
|
} POLICY_LSA_SERVER_ROLE_INFO, *PPOLICY_LSA_SERVER_ROLE_INFO;
|
|||
|
|
|||
|
// where the fields have the following usage:
|
|||
|
//
|
|||
|
// TBS
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following structure corresponds to the PolicyReplicaSourceInformation
|
|||
|
// information class.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_REPLICA_SOURCE_INFO {
|
|||
|
|
|||
|
LSA_UNICODE_STRING ReplicaSource;
|
|||
|
LSA_UNICODE_STRING ReplicaAccountName;
|
|||
|
|
|||
|
} POLICY_REPLICA_SOURCE_INFO, *PPOLICY_REPLICA_SOURCE_INFO;
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following structure corresponds to the PolicyDefaultQuotaInformation
|
|||
|
// information class.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_DEFAULT_QUOTA_INFO {
|
|||
|
|
|||
|
QUOTA_LIMITS QuotaLimits;
|
|||
|
|
|||
|
} POLICY_DEFAULT_QUOTA_INFO, *PPOLICY_DEFAULT_QUOTA_INFO;
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following structure corresponds to the PolicyModificationInformation
|
|||
|
// information class.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_MODIFICATION_INFO {
|
|||
|
|
|||
|
LARGE_INTEGER ModifiedId;
|
|||
|
LARGE_INTEGER DatabaseCreationTime;
|
|||
|
|
|||
|
} POLICY_MODIFICATION_INFO, *PPOLICY_MODIFICATION_INFO;
|
|||
|
|
|||
|
// where the members have the following usage:
|
|||
|
//
|
|||
|
// ModifiedId - Is a 64-bit unsigned integer that is incremented each
|
|||
|
// time anything in the LSA database is modified. This value is
|
|||
|
// only modified on Primary Domain Controllers.
|
|||
|
//
|
|||
|
// DatabaseCreationTime - Is the date/time that the LSA Database was
|
|||
|
// created. On Backup Domain Controllers, this value is replicated
|
|||
|
// from the Primary Domain Controller.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// The following structure type corresponds to the PolicyAuditFullSetInformation
|
|||
|
// Information Class.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_AUDIT_FULL_SET_INFO {
|
|||
|
|
|||
|
BOOLEAN ShutDownOnFull;
|
|||
|
|
|||
|
} POLICY_AUDIT_FULL_SET_INFO, *PPOLICY_AUDIT_FULL_SET_INFO;
|
|||
|
|
|||
|
//
|
|||
|
// The following structure type corresponds to the PolicyAuditFullQueryInformation
|
|||
|
// Information Class.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_AUDIT_FULL_QUERY_INFO {
|
|||
|
|
|||
|
BOOLEAN ShutDownOnFull;
|
|||
|
BOOLEAN LogIsFull;
|
|||
|
|
|||
|
} POLICY_AUDIT_FULL_QUERY_INFO, *PPOLICY_AUDIT_FULL_QUERY_INFO;
|
|||
|
|
|||
|
//
|
|||
|
// The following data type defines the classes of Policy Information
|
|||
|
// that may be queried/set that has domain wide effect.
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _POLICY_DOMAIN_INFORMATION_CLASS {
|
|||
|
|
|||
|
// PolicyDomainQualityOfServiceInformation, // value was used in W2K; no longer supported
|
|||
|
PolicyDomainEfsInformation = 2,
|
|||
|
PolicyDomainKerberosTicketInformation
|
|||
|
|
|||
|
} POLICY_DOMAIN_INFORMATION_CLASS, *PPOLICY_DOMAIN_INFORMATION_CLASS;
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// QualityOfService information. Corresponds to PolicyDomainQualityOfServiceInformation
|
|||
|
//
|
|||
|
|
|||
|
#define POLICY_QOS_SCHANNEL_REQUIRED 0x00000001
|
|||
|
#define POLICY_QOS_OUTBOUND_INTEGRITY 0x00000002
|
|||
|
#define POLICY_QOS_OUTBOUND_CONFIDENTIALITY 0x00000004
|
|||
|
#define POLICY_QOS_INBOUND_INTEGRITY 0x00000008
|
|||
|
#define POLICY_QOS_INBOUND_CONFIDENTIALITY 0x00000010
|
|||
|
#define POLICY_QOS_ALLOW_LOCAL_ROOT_CERT_STORE 0x00000020
|
|||
|
#define POLICY_QOS_RAS_SERVER_ALLOWED 0x00000040
|
|||
|
#define POLICY_QOS_DHCP_SERVER_ALLOWED 0x00000080
|
|||
|
|
|||
|
//
|
|||
|
// Bits 0x00000100 through 0xFFFFFFFF are reserved for future use.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// The following structure corresponds to the PolicyEfsInformation
|
|||
|
// information class
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _POLICY_DOMAIN_EFS_INFO {
|
|||
|
|
|||
|
ULONG InfoLength;
|
|||
|
PUCHAR EfsBlob;
|
|||
|
|
|||
|
} POLICY_DOMAIN_EFS_INFO, *PPOLICY_DOMAIN_EFS_INFO;
|
|||
|
|
|||
|
// where the members have the following usage:
|
|||
|
//
|
|||
|
// InfoLength - Length of the EFS Information blob
|
|||
|
//
|
|||
|
// EfsBlob - Efs blob data
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following structure corresponds to the PolicyDomainKerberosTicketInformation
|
|||
|
// information class
|
|||
|
|
|||
|
#define POLICY_KERBEROS_VALIDATE_CLIENT 0x00000080
|
|||
|
|
|||
|
|
|||
|
typedef struct _POLICY_DOMAIN_KERBEROS_TICKET_INFO {
|
|||
|
|
|||
|
ULONG AuthenticationOptions;
|
|||
|
LARGE_INTEGER MaxServiceTicketAge;
|
|||
|
LARGE_INTEGER MaxTicketAge;
|
|||
|
LARGE_INTEGER MaxRenewAge;
|
|||
|
LARGE_INTEGER MaxClockSkew;
|
|||
|
LARGE_INTEGER Reserved;
|
|||
|
} POLICY_DOMAIN_KERBEROS_TICKET_INFO, *PPOLICY_DOMAIN_KERBEROS_TICKET_INFO;
|
|||
|
|
|||
|
//
|
|||
|
// where the members have the following usage
|
|||
|
//
|
|||
|
// AuthenticationOptions -- allowed ticket options (POLICY_KERBEROS_* flags )
|
|||
|
//
|
|||
|
// MaxServiceTicketAge -- Maximum lifetime for a service ticket
|
|||
|
//
|
|||
|
// MaxTicketAge -- Maximum lifetime for the initial ticket
|
|||
|
//
|
|||
|
// MaxRenewAge -- Maximum cumulative age a renewable ticket can be with
|
|||
|
// requring authentication
|
|||
|
//
|
|||
|
// MaxClockSkew -- Maximum tolerance for synchronization of computer clocks
|
|||
|
//
|
|||
|
// Reserved -- Reserved
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following data type defines the classes of Policy Information / Policy Domain Information
|
|||
|
// that may be used to request notification
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _POLICY_NOTIFICATION_INFORMATION_CLASS {
|
|||
|
|
|||
|
PolicyNotifyAuditEventsInformation = 1,
|
|||
|
PolicyNotifyAccountDomainInformation,
|
|||
|
PolicyNotifyServerRoleInformation,
|
|||
|
PolicyNotifyDnsDomainInformation,
|
|||
|
PolicyNotifyDomainEfsInformation,
|
|||
|
PolicyNotifyDomainKerberosTicketInformation,
|
|||
|
PolicyNotifyMachineAccountPasswordInformation
|
|||
|
|
|||
|
} POLICY_NOTIFICATION_INFORMATION_CLASS, *PPOLICY_NOTIFICATION_INFORMATION_CLASS;
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// Account object type-specific Access Types
|
|||
|
//
|
|||
|
|
|||
|
#define ACCOUNT_VIEW 0x00000001L
|
|||
|
#define ACCOUNT_ADJUST_PRIVILEGES 0x00000002L
|
|||
|
#define ACCOUNT_ADJUST_QUOTAS 0x00000004L
|
|||
|
#define ACCOUNT_ADJUST_SYSTEM_ACCESS 0x00000008L
|
|||
|
|
|||
|
#define ACCOUNT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
|
|||
|
ACCOUNT_VIEW |\
|
|||
|
ACCOUNT_ADJUST_PRIVILEGES |\
|
|||
|
ACCOUNT_ADJUST_QUOTAS |\
|
|||
|
ACCOUNT_ADJUST_SYSTEM_ACCESS)
|
|||
|
|
|||
|
#define ACCOUNT_READ (STANDARD_RIGHTS_READ |\
|
|||
|
ACCOUNT_VIEW)
|
|||
|
|
|||
|
#define ACCOUNT_WRITE (STANDARD_RIGHTS_WRITE |\
|
|||
|
ACCOUNT_ADJUST_PRIVILEGES |\
|
|||
|
ACCOUNT_ADJUST_QUOTAS |\
|
|||
|
ACCOUNT_ADJUST_SYSTEM_ACCESS)
|
|||
|
|
|||
|
#define ACCOUNT_EXECUTE (STANDARD_RIGHTS_EXECUTE)
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// LSA RPC Context Handle (Opaque form). Note that a Context Handle is
|
|||
|
// always a pointer type unlike regular handles.
|
|||
|
//
|
|||
|
|
|||
|
typedef PVOID LSA_HANDLE, *PLSA_HANDLE;
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// Trusted Domain object specific access types
|
|||
|
//
|
|||
|
|
|||
|
#define TRUSTED_QUERY_DOMAIN_NAME 0x00000001L
|
|||
|
#define TRUSTED_QUERY_CONTROLLERS 0x00000002L
|
|||
|
#define TRUSTED_SET_CONTROLLERS 0x00000004L
|
|||
|
#define TRUSTED_QUERY_POSIX 0x00000008L
|
|||
|
#define TRUSTED_SET_POSIX 0x00000010L
|
|||
|
#define TRUSTED_SET_AUTH 0x00000020L
|
|||
|
#define TRUSTED_QUERY_AUTH 0x00000040L
|
|||
|
|
|||
|
|
|||
|
#define TRUSTED_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
|
|||
|
TRUSTED_QUERY_DOMAIN_NAME |\
|
|||
|
TRUSTED_QUERY_CONTROLLERS |\
|
|||
|
TRUSTED_SET_CONTROLLERS |\
|
|||
|
TRUSTED_QUERY_POSIX |\
|
|||
|
TRUSTED_SET_POSIX |\
|
|||
|
TRUSTED_SET_AUTH |\
|
|||
|
TRUSTED_QUERY_AUTH)
|
|||
|
|
|||
|
#define TRUSTED_READ (STANDARD_RIGHTS_READ |\
|
|||
|
TRUSTED_QUERY_DOMAIN_NAME)
|
|||
|
|
|||
|
#define TRUSTED_WRITE (STANDARD_RIGHTS_WRITE |\
|
|||
|
TRUSTED_SET_CONTROLLERS |\
|
|||
|
TRUSTED_SET_POSIX |\
|
|||
|
TRUSTED_SET_AUTH )
|
|||
|
|
|||
|
#define TRUSTED_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
|
|||
|
TRUSTED_QUERY_CONTROLLERS |\
|
|||
|
TRUSTED_QUERY_POSIX)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// Trusted Domain Object specific data types
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// This data type defines the following information classes that may be
|
|||
|
// queried or set.
|
|||
|
//
|
|||
|
|
|||
|
typedef enum _TRUSTED_INFORMATION_CLASS {
|
|||
|
|
|||
|
TrustedDomainNameInformation = 1,
|
|||
|
TrustedControllersInformation,
|
|||
|
TrustedPosixOffsetInformation,
|
|||
|
TrustedPasswordInformation,
|
|||
|
TrustedDomainInformationBasic,
|
|||
|
TrustedDomainInformationEx,
|
|||
|
TrustedDomainAuthInformation,
|
|||
|
TrustedDomainFullInformation,
|
|||
|
TrustedDomainAuthInformationInternal,
|
|||
|
TrustedDomainFullInformationInternal,
|
|||
|
TrustedDomainInformationEx2Internal,
|
|||
|
TrustedDomainFullInformation2Internal,
|
|||
|
|
|||
|
} TRUSTED_INFORMATION_CLASS, *PTRUSTED_INFORMATION_CLASS;
|
|||
|
|
|||
|
//
|
|||
|
// The following data type corresponds to the TrustedDomainNameInformation
|
|||
|
// information class.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _TRUSTED_DOMAIN_NAME_INFO {
|
|||
|
|
|||
|
LSA_UNICODE_STRING Name;
|
|||
|
|
|||
|
} TRUSTED_DOMAIN_NAME_INFO, *PTRUSTED_DOMAIN_NAME_INFO;
|
|||
|
|
|||
|
// where members have the following meaning:
|
|||
|
//
|
|||
|
// Name - The name of the Trusted Domain.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// The following data type corresponds to the TrustedControllersInformation
|
|||
|
// information class.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _TRUSTED_CONTROLLERS_INFO {
|
|||
|
|
|||
|
ULONG Entries;
|
|||
|
PLSA_UNICODE_STRING Names;
|
|||
|
|
|||
|
} TRUSTED_CONTROLLERS_INFO, *PTRUSTED_CONTROLLERS_INFO;
|
|||
|
|
|||
|
// where members have the following meaning:
|
|||
|
//
|
|||
|
// Entries - Indicate how mamy entries there are in the Names array.
|
|||
|
//
|
|||
|
// Names - Pointer to an array of LSA_UNICODE_STRING structures containing the
|
|||
|
// names of domain controllers of the domain. This information may not
|
|||
|
// be accurate and should be used only as a hint. The order of this
|
|||
|
// list is considered significant and will be maintained.
|
|||
|
//
|
|||
|
// By convention, the first name in this list is assumed to be the
|
|||
|
// Primary Domain Controller of the domain. If the Primary Domain
|
|||
|
// Controller is not known, the first name should be set to the NULL
|
|||
|
// string.
|
|||
|
//
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// The following data type corresponds to the TrustedPosixOffsetInformation
|
|||
|
// information class.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _TRUSTED_POSIX_OFFSET_INFO {
|
|||
|
|
|||
|
ULONG Offset;
|
|||
|
|
|||
|
} TRUSTED_POSIX_OFFSET_INFO, *PTRUSTED_POSIX_OFFSET_INFO;
|
|||
|
|
|||
|
// where members have the following meaning:
|
|||
|
//
|
|||
|
// Offset - Is an offset to use for the generation of Posix user and group
|
|||
|
// IDs from SIDs. The Posix ID corresponding to any particular SID is
|
|||
|
// generated by adding the RID of that SID to the Offset of the SID's
|
|||
|
// corresponding TrustedDomain object.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// The following data type corresponds to the TrustedPasswordInformation
|
|||
|
// information class.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _TRUSTED_PASSWORD_INFO {
|
|||
|
LSA_UNICODE_STRING Password;
|
|||
|
LSA_UNICODE_STRING OldPassword;
|
|||
|
} TRUSTED_PASSWORD_INFO, *PTRUSTED_PASSWORD_INFO;
|
|||
|
|
|||
|
|
|||
|
typedef LSA_TRUST_INFORMATION TRUSTED_DOMAIN_INFORMATION_BASIC;
|
|||
|
|
|||
|
typedef PLSA_TRUST_INFORMATION PTRUSTED_DOMAIN_INFORMATION_BASIC;
|
|||
|
|
|||
|
//
|
|||
|
// Direction of the trust
|
|||
|
//
|
|||
|
#define TRUST_DIRECTION_DISABLED 0x00000000
|
|||
|
#define TRUST_DIRECTION_INBOUND 0x00000001
|
|||
|
#define TRUST_DIRECTION_OUTBOUND 0x00000002
|
|||
|
#define TRUST_DIRECTION_BIDIRECTIONAL (TRUST_DIRECTION_INBOUND | TRUST_DIRECTION_OUTBOUND)
|
|||
|
|
|||
|
#define TRUST_TYPE_DOWNLEVEL 0x00000001 // NT4 and before
|
|||
|
#define TRUST_TYPE_UPLEVEL 0x00000002 // NT5
|
|||
|
#define TRUST_TYPE_MIT 0x00000003 // Trust with a MIT Kerberos realm
|
|||
|
#define TRUST_TYPE_DCE 0x00000004 // Trust with a DCE realm
|
|||
|
// Levels 0x5 - 0x000FFFFF reserved for future use
|
|||
|
// Provider specific trust levels are from 0x00100000 to 0xFFF00000
|
|||
|
|
|||
|
#define TRUST_ATTRIBUTE_NON_TRANSITIVE 0x00000001 // Disallow transitivity
|
|||
|
#define TRUST_ATTRIBUTE_UPLEVEL_ONLY 0x00000002 // Trust link only valid for uplevel client
|
|||
|
#define TRUST_ATTRIBUTE_FILTER_SIDS 0x00000004 // Used to quarantine domains
|
|||
|
#define TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0x00000008 // This link may contain forest trust information
|
|||
|
// Trust attributes 0x00000010 through 0x00200000 are reserved for future use
|
|||
|
// Trust attributes 0x00400000 through 0x00800000 were used previously (up to W2K) and should not be re-used
|
|||
|
// Trust attributes 0x01000000 through 0x80000000 are reserved for user
|
|||
|
#define TRUST_ATTRIBUTES_VALID 0xFF03FFFF
|
|||
|
#define TRUST_ATTRIBUTES_USER 0xFF000000
|
|||
|
|
|||
|
typedef struct _TRUSTED_DOMAIN_INFORMATION_EX {
|
|||
|
|
|||
|
LSA_UNICODE_STRING Name;
|
|||
|
LSA_UNICODE_STRING FlatName;
|
|||
|
PSID Sid;
|
|||
|
ULONG TrustDirection;
|
|||
|
ULONG TrustType;
|
|||
|
ULONG TrustAttributes;
|
|||
|
|
|||
|
} TRUSTED_DOMAIN_INFORMATION_EX, *PTRUSTED_DOMAIN_INFORMATION_EX;
|
|||
|
|
|||
|
typedef struct _TRUSTED_DOMAIN_INFORMATION_EX2 {
|
|||
|
|
|||
|
LSA_UNICODE_STRING Name;
|
|||
|
LSA_UNICODE_STRING FlatName;
|
|||
|
PSID Sid;
|
|||
|
ULONG TrustDirection;
|
|||
|
ULONG TrustType;
|
|||
|
ULONG TrustAttributes;
|
|||
|
ULONG ForestTrustLength;
|
|||
|
#ifdef MIDL_PASS
|
|||
|
[size_is( ForestTrustLength )]
|
|||
|
#endif
|
|||
|
PUCHAR ForestTrustInfo;
|
|||
|
|
|||
|
} TRUSTED_DOMAIN_INFORMATION_EX2, *PTRUSTED_DOMAIN_INFORMATION_EX2;
|
|||
|
|
|||
|
//
|
|||
|
// Type of authentication information
|
|||
|
//
|
|||
|
#define TRUST_AUTH_TYPE_NONE 0 // Ignore this entry
|
|||
|
#define TRUST_AUTH_TYPE_NT4OWF 1 // NT4 OWF password
|
|||
|
#define TRUST_AUTH_TYPE_CLEAR 2 // Cleartext password
|
|||
|
#define TRUST_AUTH_TYPE_VERSION 3 // Cleartext password version number
|
|||
|
|
|||
|
typedef struct _LSA_AUTH_INFORMATION {
|
|||
|
|
|||
|
LARGE_INTEGER LastUpdateTime;
|
|||
|
ULONG AuthType;
|
|||
|
ULONG AuthInfoLength;
|
|||
|
PUCHAR AuthInfo;
|
|||
|
} LSA_AUTH_INFORMATION, *PLSA_AUTH_INFORMATION;
|
|||
|
|
|||
|
typedef struct _TRUSTED_DOMAIN_AUTH_INFORMATION {
|
|||
|
|
|||
|
ULONG IncomingAuthInfos;
|
|||
|
PLSA_AUTH_INFORMATION IncomingAuthenticationInformation;
|
|||
|
PLSA_AUTH_INFORMATION IncomingPreviousAuthenticationInformation;
|
|||
|
ULONG OutgoingAuthInfos;
|
|||
|
PLSA_AUTH_INFORMATION OutgoingAuthenticationInformation;
|
|||
|
PLSA_AUTH_INFORMATION OutgoingPreviousAuthenticationInformation;
|
|||
|
|
|||
|
} TRUSTED_DOMAIN_AUTH_INFORMATION, *PTRUSTED_DOMAIN_AUTH_INFORMATION;
|
|||
|
|
|||
|
typedef struct _TRUSTED_DOMAIN_FULL_INFORMATION {
|
|||
|
|
|||
|
TRUSTED_DOMAIN_INFORMATION_EX Information;
|
|||
|
TRUSTED_POSIX_OFFSET_INFO PosixOffset;
|
|||
|
TRUSTED_DOMAIN_AUTH_INFORMATION AuthInformation;
|
|||
|
|
|||
|
} TRUSTED_DOMAIN_FULL_INFORMATION, *PTRUSTED_DOMAIN_FULL_INFORMATION;
|
|||
|
|
|||
|
typedef struct _TRUSTED_DOMAIN_FULL_INFORMATION2 {
|
|||
|
|
|||
|
TRUSTED_DOMAIN_INFORMATION_EX2 Information;
|
|||
|
TRUSTED_POSIX_OFFSET_INFO PosixOffset;
|
|||
|
TRUSTED_DOMAIN_AUTH_INFORMATION AuthInformation;
|
|||
|
|
|||
|
} TRUSTED_DOMAIN_FULL_INFORMATION2, *PTRUSTED_DOMAIN_FULL_INFORMATION2;
|
|||
|
|
|||
|
typedef enum {
|
|||
|
|
|||
|
ForestTrustTopLevelName,
|
|||
|
ForestTrustTopLevelNameEx,
|
|||
|
ForestTrustDomainInfo,
|
|||
|
ForestTrustRecordTypeLast = ForestTrustDomainInfo
|
|||
|
|
|||
|
} LSA_FOREST_TRUST_RECORD_TYPE;
|
|||
|
|
|||
|
#define LSA_FOREST_TRUST_RECORD_TYPE_UNRECOGNIZED 0x80000000
|
|||
|
|
|||
|
//
|
|||
|
// Bottom 16 bits of the flags are reserved for disablement reasons
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_FTRECORD_DISABLED_REASONS ( 0x0000FFFFL )
|
|||
|
|
|||
|
//
|
|||
|
// Reasons for a top-level name forest trust record to be disabled
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_TLN_DISABLED_NEW ( 0x00000001L )
|
|||
|
#define LSA_TLN_DISABLED_ADMIN ( 0x00000002L )
|
|||
|
#define LSA_TLN_DISABLED_CONFLICT ( 0x00000004L )
|
|||
|
|
|||
|
//
|
|||
|
// Reasons for a domain information forest trust record to be disabled
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_SID_DISABLED_ADMIN ( 0x00000001L )
|
|||
|
#define LSA_SID_DISABLED_CONFLICT ( 0x00000002L )
|
|||
|
#define LSA_NB_DISABLED_ADMIN ( 0x00000004L )
|
|||
|
#define LSA_NB_DISABLED_CONFLICT ( 0x00000008L )
|
|||
|
|
|||
|
typedef struct _LSA_FOREST_TRUST_DOMAIN_INFO {
|
|||
|
|
|||
|
#ifdef MIDL_PASS
|
|||
|
PISID Sid;
|
|||
|
#else
|
|||
|
PSID Sid;
|
|||
|
#endif
|
|||
|
LSA_UNICODE_STRING DnsName;
|
|||
|
LSA_UNICODE_STRING NetbiosName;
|
|||
|
|
|||
|
} LSA_FOREST_TRUST_DOMAIN_INFO, *PLSA_FOREST_TRUST_DOMAIN_INFO;
|
|||
|
|
|||
|
typedef struct _LSA_FOREST_TRUST_BINARY_DATA {
|
|||
|
|
|||
|
ULONG Length;
|
|||
|
#ifdef MIDL_PASS
|
|||
|
[size_is( Length )]
|
|||
|
#endif
|
|||
|
PUCHAR Buffer;
|
|||
|
|
|||
|
} LSA_FOREST_TRUST_BINARY_DATA, *PLSA_FOREST_TRUST_BINARY_DATA;
|
|||
|
|
|||
|
typedef struct _LSA_FOREST_TRUST_RECORD {
|
|||
|
|
|||
|
ULONG Flags;
|
|||
|
LSA_FOREST_TRUST_RECORD_TYPE ForestTrustType; // type of record
|
|||
|
LARGE_INTEGER Time;
|
|||
|
|
|||
|
#ifdef MIDL_PASS
|
|||
|
[switch_type( LSA_FOREST_TRUST_RECORD_TYPE ), switch_is( ForestTrustType )]
|
|||
|
#endif
|
|||
|
|
|||
|
union { // actual data
|
|||
|
|
|||
|
#ifdef MIDL_PASS
|
|||
|
[case( ForestTrustTopLevelName,
|
|||
|
ForestTrustTopLevelNameEx )] LSA_UNICODE_STRING TopLevelName;
|
|||
|
[case( ForestTrustDomainInfo )] LSA_FOREST_TRUST_DOMAIN_INFO DomainInfo;
|
|||
|
[default] LSA_FOREST_TRUST_BINARY_DATA Data;
|
|||
|
#else
|
|||
|
LSA_UNICODE_STRING TopLevelName;
|
|||
|
LSA_FOREST_TRUST_DOMAIN_INFO DomainInfo;
|
|||
|
LSA_FOREST_TRUST_BINARY_DATA Data; // used for unrecognized types
|
|||
|
#endif
|
|||
|
} ForestTrustData;
|
|||
|
|
|||
|
} LSA_FOREST_TRUST_RECORD, *PLSA_FOREST_TRUST_RECORD;
|
|||
|
|
|||
|
typedef struct _LSA_FOREST_TRUST_INFORMATION {
|
|||
|
|
|||
|
ULONG RecordCount;
|
|||
|
#ifdef MIDL_PASS
|
|||
|
[size_is( RecordCount )]
|
|||
|
#endif
|
|||
|
PLSA_FOREST_TRUST_RECORD * Entries;
|
|||
|
|
|||
|
} LSA_FOREST_TRUST_INFORMATION, *PLSA_FOREST_TRUST_INFORMATION;
|
|||
|
|
|||
|
typedef enum {
|
|||
|
|
|||
|
CollisionTdo,
|
|||
|
CollisionXref,
|
|||
|
CollisionOther
|
|||
|
|
|||
|
} LSA_FOREST_TRUST_COLLISION_RECORD_TYPE;
|
|||
|
|
|||
|
typedef struct _LSA_FOREST_TRUST_COLLISION_RECORD {
|
|||
|
|
|||
|
ULONG Index;
|
|||
|
LSA_FOREST_TRUST_COLLISION_RECORD_TYPE Type;
|
|||
|
ULONG Flags;
|
|||
|
LSA_UNICODE_STRING Name;
|
|||
|
|
|||
|
} LSA_FOREST_TRUST_COLLISION_RECORD, *PLSA_FOREST_TRUST_COLLISION_RECORD;
|
|||
|
|
|||
|
typedef struct _LSA_FOREST_TRUST_COLLISION_INFORMATION {
|
|||
|
|
|||
|
ULONG RecordCount;
|
|||
|
#ifdef MIDL_PASS
|
|||
|
[size_is( RecordCount )]
|
|||
|
#endif
|
|||
|
PLSA_FOREST_TRUST_COLLISION_RECORD * Entries;
|
|||
|
|
|||
|
} LSA_FOREST_TRUST_COLLISION_INFORMATION, *PLSA_FOREST_TRUST_COLLISION_INFORMATION;
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// Secret object specific access types
|
|||
|
//
|
|||
|
|
|||
|
#define SECRET_SET_VALUE 0x00000001L
|
|||
|
#define SECRET_QUERY_VALUE 0x00000002L
|
|||
|
|
|||
|
#define SECRET_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
|
|||
|
SECRET_SET_VALUE |\
|
|||
|
SECRET_QUERY_VALUE)
|
|||
|
|
|||
|
#define SECRET_READ (STANDARD_RIGHTS_READ |\
|
|||
|
SECRET_QUERY_VALUE)
|
|||
|
|
|||
|
#define SECRET_WRITE (STANDARD_RIGHTS_WRITE |\
|
|||
|
SECRET_SET_VALUE)
|
|||
|
|
|||
|
#define SECRET_EXECUTE (STANDARD_RIGHTS_EXECUTE)
|
|||
|
|
|||
|
//
|
|||
|
// Global secret object prefix
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_GLOBAL_SECRET_PREFIX L"G$"
|
|||
|
#define LSA_GLOBAL_SECRET_PREFIX_LENGTH 2
|
|||
|
|
|||
|
#define LSA_LOCAL_SECRET_PREFIX L"L$"
|
|||
|
#define LSA_LOCAL_SECRET_PREFIX_LENGTH 2
|
|||
|
|
|||
|
#define LSA_MACHINE_SECRET_PREFIX L"M$"
|
|||
|
#define LSA_MACHINE_SECRET_PREFIX_LENGTH \
|
|||
|
( ( sizeof( LSA_MACHINE_SECRET_PREFIX ) - sizeof( WCHAR ) ) / sizeof( WCHAR ) )
|
|||
|
|
|||
|
//
|
|||
|
// Secret object specific data types.
|
|||
|
//
|
|||
|
|
|||
|
//
|
|||
|
// Secret object limits
|
|||
|
//
|
|||
|
|
|||
|
#define LSA_SECRET_MAXIMUM_COUNT 0x00001000L
|
|||
|
#define LSA_SECRET_MAXIMUM_LENGTH 0x00000200L
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// LSA Enumeration Context
|
|||
|
//
|
|||
|
|
|||
|
typedef ULONG LSA_ENUMERATION_HANDLE, *PLSA_ENUMERATION_HANDLE;
|
|||
|
|
|||
|
//
|
|||
|
// LSA Enumeration Information
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _LSA_ENUMERATION_INFORMATION {
|
|||
|
|
|||
|
PSID Sid;
|
|||
|
|
|||
|
} LSA_ENUMERATION_INFORMATION, *PLSA_ENUMERATION_INFORMATION;
|
|||
|
|
|||
|
|
|||
|
////////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Local Security Policy - Miscellaneous API function prototypes //
|
|||
|
// //
|
|||
|
////////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaFreeMemory(
|
|||
|
IN PVOID Buffer
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaClose(
|
|||
|
IN LSA_HANDLE ObjectHandle
|
|||
|
);
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaDelete(
|
|||
|
IN LSA_HANDLE ObjectHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaQuerySecurityObject(
|
|||
|
IN LSA_HANDLE ObjectHandle,
|
|||
|
IN SECURITY_INFORMATION SecurityInformation,
|
|||
|
OUT PSECURITY_DESCRIPTOR *SecurityDescriptor
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaSetSecurityObject(
|
|||
|
IN LSA_HANDLE ObjectHandle,
|
|||
|
IN SECURITY_INFORMATION SecurityInformation,
|
|||
|
IN PSECURITY_DESCRIPTOR SecurityDescriptor
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaChangePassword(
|
|||
|
IN PLSA_UNICODE_STRING ServerName,
|
|||
|
IN PLSA_UNICODE_STRING DomainName,
|
|||
|
IN PLSA_UNICODE_STRING AccountName,
|
|||
|
IN PLSA_UNICODE_STRING OldPassword,
|
|||
|
IN PLSA_UNICODE_STRING NewPassword
|
|||
|
);
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
typedef struct _SECURITY_LOGON_SESSION_DATA {
|
|||
|
ULONG Size ;
|
|||
|
LUID LogonId ;
|
|||
|
LSA_UNICODE_STRING UserName ;
|
|||
|
LSA_UNICODE_STRING LogonDomain ;
|
|||
|
LSA_UNICODE_STRING AuthenticationPackage ;
|
|||
|
ULONG LogonType ;
|
|||
|
ULONG Session ;
|
|||
|
PSID Sid ;
|
|||
|
LARGE_INTEGER LogonTime ;
|
|||
|
|
|||
|
//
|
|||
|
// new for whistler:
|
|||
|
//
|
|||
|
|
|||
|
LSA_UNICODE_STRING LogonServer ;
|
|||
|
LSA_UNICODE_STRING DnsDomainName ;
|
|||
|
LSA_UNICODE_STRING Upn ;
|
|||
|
} SECURITY_LOGON_SESSION_DATA, * PSECURITY_LOGON_SESSION_DATA ;
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaEnumerateLogonSessions(
|
|||
|
OUT PULONG LogonSessionCount,
|
|||
|
OUT PLUID * LogonSessionList
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaGetLogonSessionData(
|
|||
|
IN PLUID LogonId,
|
|||
|
OUT PSECURITY_LOGON_SESSION_DATA * ppLogonSessionData
|
|||
|
);
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
///////////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Local Security Policy - Policy Object API function prototypes //
|
|||
|
// //
|
|||
|
///////////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaOpenPolicy(
|
|||
|
IN PLSA_UNICODE_STRING SystemName OPTIONAL,
|
|||
|
IN PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN OUT PLSA_HANDLE PolicyHandle
|
|||
|
);
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaOpenPolicySce(
|
|||
|
IN PLSA_UNICODE_STRING SystemName OPTIONAL,
|
|||
|
IN PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
IN OUT PLSA_HANDLE PolicyHandle
|
|||
|
);
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaQueryInformationPolicy(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN POLICY_INFORMATION_CLASS InformationClass,
|
|||
|
OUT PVOID *Buffer
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaSetInformationPolicy(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN POLICY_INFORMATION_CLASS InformationClass,
|
|||
|
IN PVOID Buffer
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaQueryDomainInformationPolicy(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN POLICY_DOMAIN_INFORMATION_CLASS InformationClass,
|
|||
|
OUT PVOID *Buffer
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaSetDomainInformationPolicy(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN POLICY_DOMAIN_INFORMATION_CLASS InformationClass,
|
|||
|
IN PVOID Buffer
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaRegisterPolicyChangeNotification(
|
|||
|
IN POLICY_NOTIFICATION_INFORMATION_CLASS InformationClass,
|
|||
|
IN HANDLE NotificationEventHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaUnregisterPolicyChangeNotification(
|
|||
|
IN POLICY_NOTIFICATION_INFORMATION_CLASS InformationClass,
|
|||
|
IN HANDLE NotificationEventHandle
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaClearAuditLog(
|
|||
|
IN LSA_HANDLE PolicyHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaCreateAccount(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PSID AccountSid,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
OUT PLSA_HANDLE AccountHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaEnumerateAccounts(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
|
|||
|
OUT PVOID *EnumerationBuffer,
|
|||
|
IN ULONG PreferedMaximumLength,
|
|||
|
OUT PULONG CountReturned
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaCreateTrustedDomain(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLSA_TRUST_INFORMATION TrustedDomainInformation,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
OUT PLSA_HANDLE TrustedDomainHandle
|
|||
|
);
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaEnumerateTrustedDomains(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
|
|||
|
OUT PVOID *Buffer,
|
|||
|
IN ULONG PreferedMaximumLength,
|
|||
|
OUT PULONG CountReturned
|
|||
|
);
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaEnumeratePrivileges(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
|
|||
|
OUT PVOID *Buffer,
|
|||
|
IN ULONG PreferedMaximumLength,
|
|||
|
OUT PULONG CountReturned
|
|||
|
);
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaLookupNames(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN ULONG Count,
|
|||
|
IN PLSA_UNICODE_STRING Names,
|
|||
|
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
|
|||
|
OUT PLSA_TRANSLATED_SID *Sids
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaLookupNames2(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN ULONG Flags, // Reserved
|
|||
|
IN ULONG Count,
|
|||
|
IN PLSA_UNICODE_STRING Names,
|
|||
|
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
|
|||
|
OUT PLSA_TRANSLATED_SID2 *Sids
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaLookupSids(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN ULONG Count,
|
|||
|
IN PSID *Sids,
|
|||
|
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
|
|||
|
OUT PLSA_TRANSLATED_NAME *Names
|
|||
|
);
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaCreateSecret(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLSA_UNICODE_STRING SecretName,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
OUT PLSA_HANDLE SecretHandle
|
|||
|
);
|
|||
|
|
|||
|
///////////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Local Security Policy - Account Object API function prototypes //
|
|||
|
// //
|
|||
|
///////////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaOpenAccount(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PSID AccountSid,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
OUT PLSA_HANDLE AccountHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaEnumeratePrivilegesOfAccount(
|
|||
|
IN LSA_HANDLE AccountHandle,
|
|||
|
OUT PPRIVILEGE_SET *Privileges
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaAddPrivilegesToAccount(
|
|||
|
IN LSA_HANDLE AccountHandle,
|
|||
|
IN PPRIVILEGE_SET Privileges
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaRemovePrivilegesFromAccount(
|
|||
|
IN LSA_HANDLE AccountHandle,
|
|||
|
IN BOOLEAN AllPrivileges,
|
|||
|
IN PPRIVILEGE_SET Privileges
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaGetQuotasForAccount(
|
|||
|
IN LSA_HANDLE AccountHandle,
|
|||
|
OUT PQUOTA_LIMITS QuotaLimits
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaSetQuotasForAccount(
|
|||
|
IN LSA_HANDLE AccountHandle,
|
|||
|
IN PQUOTA_LIMITS QuotaLimits
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaGetSystemAccessAccount(
|
|||
|
IN LSA_HANDLE AccountHandle,
|
|||
|
OUT PULONG SystemAccess
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaSetSystemAccessAccount(
|
|||
|
IN LSA_HANDLE AccountHandle,
|
|||
|
IN ULONG SystemAccess
|
|||
|
);
|
|||
|
|
|||
|
///////////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Local Security Policy - Trusted Domain Object API function prototypes //
|
|||
|
// //
|
|||
|
///////////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaOpenTrustedDomain(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PSID TrustedDomainSid,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
OUT PLSA_HANDLE TrustedDomainHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaQueryInfoTrustedDomain(
|
|||
|
IN LSA_HANDLE TrustedDomainHandle,
|
|||
|
IN TRUSTED_INFORMATION_CLASS InformationClass,
|
|||
|
OUT PVOID *Buffer
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaSetInformationTrustedDomain(
|
|||
|
IN LSA_HANDLE TrustedDomainHandle,
|
|||
|
IN TRUSTED_INFORMATION_CLASS InformationClass,
|
|||
|
IN PVOID Buffer
|
|||
|
);
|
|||
|
|
|||
|
///////////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Local Security Policy - Secret Object API function prototypes //
|
|||
|
// //
|
|||
|
///////////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaOpenSecret(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLSA_UNICODE_STRING SecretName,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
OUT PLSA_HANDLE SecretHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaSetSecret(
|
|||
|
IN LSA_HANDLE SecretHandle,
|
|||
|
IN OPTIONAL PLSA_UNICODE_STRING CurrentValue,
|
|||
|
IN OPTIONAL PLSA_UNICODE_STRING OldValue
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaQuerySecret(
|
|||
|
IN LSA_HANDLE SecretHandle,
|
|||
|
OUT OPTIONAL PLSA_UNICODE_STRING *CurrentValue,
|
|||
|
OUT OPTIONAL PLARGE_INTEGER CurrentValueSetTime,
|
|||
|
OUT OPTIONAL PLSA_UNICODE_STRING *OldValue,
|
|||
|
OUT OPTIONAL PLARGE_INTEGER OldValueSetTime
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Local Security Policy - Privilege Object API Prototypes //
|
|||
|
// //
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaLookupPrivilegeValue(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLSA_UNICODE_STRING Name,
|
|||
|
OUT PLUID Value
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaLookupPrivilegeName(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLUID Value,
|
|||
|
OUT PLSA_UNICODE_STRING *Name
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaLookupPrivilegeDisplayName(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLSA_UNICODE_STRING Name,
|
|||
|
OUT PLSA_UNICODE_STRING *DisplayName,
|
|||
|
OUT PSHORT LanguageReturned
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Local Security Policy - New APIs for NT 4.0 (SUR release) //
|
|||
|
// //
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
LsaGetUserName(
|
|||
|
OUT PLSA_UNICODE_STRING * UserName,
|
|||
|
OUT OPTIONAL PLSA_UNICODE_STRING * DomainName
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
LsaGetRemoteUserName(
|
|||
|
IN OPTIONAL PLSA_UNICODE_STRING SystemName,
|
|||
|
OUT PLSA_UNICODE_STRING * UserName,
|
|||
|
OUT OPTIONAL PLSA_UNICODE_STRING * DomainName
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Local Security Policy - New APIs for NT 3.51 (PPC release) //
|
|||
|
// //
|
|||
|
/////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
// begin_ntsecapi
|
|||
|
|
|||
|
|
|||
|
#define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight")
|
|||
|
#define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
|
|||
|
#define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
|
|||
|
#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
|
|||
|
#define SE_DENY_INTERACTIVE_LOGON_NAME TEXT("SeDenyInteractiveLogonRight")
|
|||
|
#define SE_DENY_NETWORK_LOGON_NAME TEXT("SeDenyNetworkLogonRight")
|
|||
|
#define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight")
|
|||
|
#define SE_DENY_SERVICE_LOGON_NAME TEXT("SeDenyServiceLogonRight")
|
|||
|
#define SE_REMOTE_INTERACTIVE_LOGON_NAME TEXT("SeRemoteInteractiveLogonRight")
|
|||
|
#define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME TEXT("SeDenyRemoteInteractiveLogonRight")
|
|||
|
|
|||
|
//
|
|||
|
// This new API returns all the accounts with a certain privilege
|
|||
|
//
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaEnumerateAccountsWithUserRight(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN OPTIONAL PLSA_UNICODE_STRING UserRights,
|
|||
|
OUT PVOID *EnumerationBuffer,
|
|||
|
OUT PULONG CountReturned
|
|||
|
);
|
|||
|
|
|||
|
//
|
|||
|
// These new APIs differ by taking a SID instead of requiring the caller
|
|||
|
// to open the account first and passing in an account handle
|
|||
|
//
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaEnumerateAccountRights(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PSID AccountSid,
|
|||
|
OUT PLSA_UNICODE_STRING *UserRights,
|
|||
|
OUT PULONG CountOfRights
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaAddAccountRights(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PSID AccountSid,
|
|||
|
IN PLSA_UNICODE_STRING UserRights,
|
|||
|
IN ULONG CountOfRights
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaRemoveAccountRights(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PSID AccountSid,
|
|||
|
IN BOOLEAN AllRights,
|
|||
|
IN PLSA_UNICODE_STRING UserRights,
|
|||
|
IN ULONG CountOfRights
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
///////////////////////////////////////////////////////////////////////////////
|
|||
|
// //
|
|||
|
// Local Security Policy - Trusted Domain Object API function prototypes //
|
|||
|
// //
|
|||
|
///////////////////////////////////////////////////////////////////////////////
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaOpenTrustedDomainByName(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLSA_UNICODE_STRING TrustedDomainName,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
OUT PLSA_HANDLE TrustedDomainHandle
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaQueryTrustedDomainInfo(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PSID TrustedDomainSid,
|
|||
|
IN TRUSTED_INFORMATION_CLASS InformationClass,
|
|||
|
OUT PVOID *Buffer
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaSetTrustedDomainInformation(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PSID TrustedDomainSid,
|
|||
|
IN TRUSTED_INFORMATION_CLASS InformationClass,
|
|||
|
IN PVOID Buffer
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaDeleteTrustedDomain(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PSID TrustedDomainSid
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaQueryTrustedDomainInfoByName(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLSA_UNICODE_STRING TrustedDomainName,
|
|||
|
IN TRUSTED_INFORMATION_CLASS InformationClass,
|
|||
|
OUT PVOID *Buffer
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaSetTrustedDomainInfoByName(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLSA_UNICODE_STRING TrustedDomainName,
|
|||
|
IN TRUSTED_INFORMATION_CLASS InformationClass,
|
|||
|
IN PVOID Buffer
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaEnumerateTrustedDomainsEx(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
|
|||
|
OUT PVOID *Buffer,
|
|||
|
IN ULONG PreferedMaximumLength,
|
|||
|
OUT PULONG CountReturned
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaCreateTrustedDomainEx(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PTRUSTED_DOMAIN_INFORMATION_EX TrustedDomainInformation,
|
|||
|
IN PTRUSTED_DOMAIN_AUTH_INFORMATION AuthenticationInformation,
|
|||
|
IN ACCESS_MASK DesiredAccess,
|
|||
|
OUT PLSA_HANDLE TrustedDomainHandle
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaQueryForestTrustInformation(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLSA_UNICODE_STRING TrustedDomainName,
|
|||
|
OUT PLSA_FOREST_TRUST_INFORMATION * ForestTrustInfo
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaSetForestTrustInformation(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLSA_UNICODE_STRING TrustedDomainName,
|
|||
|
IN PLSA_FOREST_TRUST_INFORMATION ForestTrustInfo,
|
|||
|
IN BOOLEAN CheckOnly,
|
|||
|
OUT PLSA_FOREST_TRUST_COLLISION_INFORMATION * CollisionInfo
|
|||
|
);
|
|||
|
|
|||
|
// #define TESTING_MATCHING_ROUTINE
|
|||
|
|
|||
|
#ifdef TESTING_MATCHING_ROUTINE
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaForestTrustFindMatch(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN ULONG Type,
|
|||
|
IN PLSA_UNICODE_STRING Name,
|
|||
|
OUT PLSA_UNICODE_STRING * Match
|
|||
|
);
|
|||
|
|
|||
|
#endif
|
|||
|
|
|||
|
//
|
|||
|
// This API sets the workstation password (equivalent of setting/getting
|
|||
|
// the SSI_SECRET_NAME secret)
|
|||
|
//
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaStorePrivateData(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLSA_UNICODE_STRING KeyName,
|
|||
|
IN PLSA_UNICODE_STRING PrivateData
|
|||
|
);
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaRetrievePrivateData(
|
|||
|
IN LSA_HANDLE PolicyHandle,
|
|||
|
IN PLSA_UNICODE_STRING KeyName,
|
|||
|
OUT PLSA_UNICODE_STRING * PrivateData
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
ULONG
|
|||
|
NTAPI
|
|||
|
LsaNtStatusToWinError(
|
|||
|
NTSTATUS Status
|
|||
|
);
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// Define a symbol so we can tell if ntifs.h has been included.
|
|||
|
//
|
|||
|
|
|||
|
// begin_ntifs
|
|||
|
#ifndef _NTLSA_IFS_
|
|||
|
#define _NTLSA_IFS_
|
|||
|
#endif
|
|||
|
// end_ntifs
|
|||
|
|
|||
|
|
|||
|
//
|
|||
|
// SPNEGO package stuff
|
|||
|
//
|
|||
|
|
|||
|
enum NEGOTIATE_MESSAGES {
|
|||
|
NegEnumPackagePrefixes = 0,
|
|||
|
NegGetCallerName = 1,
|
|||
|
NegCallPackageMax
|
|||
|
} ;
|
|||
|
|
|||
|
#define NEGOTIATE_MAX_PREFIX 32
|
|||
|
|
|||
|
typedef struct _NEGOTIATE_PACKAGE_PREFIX {
|
|||
|
ULONG_PTR PackageId ;
|
|||
|
PVOID PackageDataA ;
|
|||
|
PVOID PackageDataW ;
|
|||
|
ULONG_PTR PrefixLen ;
|
|||
|
UCHAR Prefix[ NEGOTIATE_MAX_PREFIX ];
|
|||
|
} NEGOTIATE_PACKAGE_PREFIX, * PNEGOTIATE_PACKAGE_PREFIX ;
|
|||
|
|
|||
|
typedef struct _NEGOTIATE_PACKAGE_PREFIXES {
|
|||
|
ULONG MessageType ;
|
|||
|
ULONG PrefixCount ;
|
|||
|
ULONG Offset ; // Offset to array of _PREFIX above
|
|||
|
} NEGOTIATE_PACKAGE_PREFIXES, *PNEGOTIATE_PACKAGE_PREFIXES ;
|
|||
|
|
|||
|
typedef struct _NEGOTIATE_CALLER_NAME_REQUEST {
|
|||
|
ULONG MessageType ;
|
|||
|
LUID LogonId ;
|
|||
|
} NEGOTIATE_CALLER_NAME_REQUEST, *PNEGOTIATE_CALLER_NAME_REQUEST ;
|
|||
|
|
|||
|
typedef struct _NEGOTIATE_CALLER_NAME_RESPONSE {
|
|||
|
ULONG MessageType ;
|
|||
|
PWSTR CallerName ;
|
|||
|
} NEGOTIATE_CALLER_NAME_RESPONSE, * PNEGOTIATE_CALLER_NAME_RESPONSE ;
|
|||
|
|
|||
|
#define NEGOTIATE_ALLOW_NTLM 0x10000000
|
|||
|
#define NEGOTIATE_NEG_NTLM 0x20000000
|
|||
|
|
|||
|
// end_ntsecapi
|
|||
|
|
|||
|
//
|
|||
|
// Define parallel structures for WOW64 environment. These
|
|||
|
// *must* stay in sync with their complements above.
|
|||
|
//
|
|||
|
|
|||
|
typedef struct _NEGOTIATE_PACKAGE_PREFIX_WOW {
|
|||
|
ULONG PackageId ;
|
|||
|
ULONG PackageDataA ;
|
|||
|
ULONG PackageDataW ;
|
|||
|
ULONG PrefixLen ;
|
|||
|
UCHAR Prefix[ NEGOTIATE_MAX_PREFIX ];
|
|||
|
} NEGOTIATE_PACKAGE_PREFIX_WOW, * PNEGOTIATE_PACKAGE_PREFIX_WOW ;
|
|||
|
|
|||
|
typedef struct _NEGOTIATE_CALLER_NAME_RESPONSE_WOW {
|
|||
|
ULONG MessageType ;
|
|||
|
ULONG CallerName ;
|
|||
|
} NEGOTIATE_CALLER_NAME_RESPONSE_WOW, * PNEGOTIATE_CALLER_NAME_RESPONSE_WOW ;
|
|||
|
|
|||
|
NTSTATUS
|
|||
|
NTAPI
|
|||
|
LsaSetPolicyReplicationHandle(
|
|||
|
IN OUT PLSA_HANDLE PolicyHandle
|
|||
|
);
|
|||
|
|
|||
|
#ifdef __cplusplus
|
|||
|
}
|
|||
|
#endif
|
|||
|
|
|||
|
#endif // _NTLSA_
|