home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Tricks of the Windows Gam…ming Gurus (2nd Edition)
/
Disc2.iso
/
vc98
/
include
/
ntsecapi.h
< prev
next >
Wrap
C/C++ Source or Header
|
1998-04-25
|
45KB
|
1,561 lines
/*++ BUILD Version: 0006 Increment this if a change has global effects
Copyright 1990 - 1998 Microsoft Corporation
Module Name:
ntsecapi.h
Abstract:
This module defines the Local Security Authority APIs.
Revision History:
--*/
#ifndef _NTSECAPI_
#define _NTSECAPI_
#ifdef __cplusplus
extern "C" {
#endif
#ifndef _NTDEF_
typedef LONG NTSTATUS, *PNTSTATUS;
#endif
#ifndef _NTLSA_IFS_
// begin_ntifs
//
// Security operation mode of the system is held in a control
// longword.
//
typedef ULONG LSA_OPERATIONAL_MODE, *PLSA_OPERATIONAL_MODE;
// end_ntifs
#endif // _NTLSA_IFS_
//
// The flags in the security operational mode are defined
// as:
//
// PasswordProtected - Some level of authentication (such as
// a password) must be provided by users before they are
// allowed to use the system. Once set, this value will
// not be cleared without re-booting the system.
//
// IndividualAccounts - Each user must identify an account to
// logon to. This flag is only meaningful if the
// PasswordProtected flag is also set. If this flag is
// not set and the PasswordProtected flag is set, then all
// users may logon to the same account. Once set, this value
// will not be cleared without re-booting the system.
//
// MandatoryAccess - Indicates the system is running in a mandatory
// access control mode (e.g., B-level as defined by the U.S.A's
// Department of Defense's "Orange Book"). This is not utilized
// in the current release of NT. This flag is only meaningful
// if both the PasswordProtected and IndividualAccounts flags are
// set. Once set, this value will not be cleared without
// re-booting the system.
//
// LogFull - Indicates the system has been brought up in a mode in
// which if must perform security auditing, but its audit log
// is full. This may (should) restrict the operations that
// can occur until the audit log is made not-full again. THIS
// VALUE MAY BE CLEARED WHILE THE SYSTEM IS RUNNING (I.E., WITHOUT
// REBOOTING).
//
// If the PasswordProtected flag is not set, then the system is running
// without security, and user interface should be adjusted appropriately.
//
#define LSA_MODE_PASSWORD_PROTECTED (0x00000001L)
#define LSA_MODE_INDIVIDUAL_ACCOUNTS (0x00000002L)
#define LSA_MODE_MANDATORY_ACCESS (0x00000004L)
#define LSA_MODE_LOG_FULL (0x00000008L)
#ifndef _NTLSA_IFS_
// begin_ntifs
//
// Used by a logon process to indicate what type of logon is being
// requested.
//
typedef enum _SECURITY_LOGON_TYPE {
Interactive = 2, // Interactively logged on (locally or remotely)
Network, // Accessing system via network
Batch, // Started via a batch queue
Service, // Service started by service controller
Proxy, // Proxy logon
Unlock // Unlock workstation
} SECURITY_LOGON_TYPE, *PSECURITY_LOGON_TYPE;
// end_ntifs
#endif // _NTLSA_IFS_
//
// Audit Event Categories
//
// The following are the built-in types or Categories of audit event.
// WARNING! This structure is subject to expansion. The user should not
// compute the number of elements of this type directly, but instead
// should obtain the count of elements by calling LsaQueryInformationPolicy()
// for the PolicyAuditEventsInformation class and extracting the count from
// the MaximumAuditEventCount field of the returned structure.
//
typedef enum _POLICY_AUDIT_EVENT_TYPE {
AuditCategorySystem,
AuditCategoryLogon,
AuditCategoryObjectAccess,
AuditCategoryPrivilegeUse,
AuditCategoryDetailedTracking,
AuditCategoryPolicyChange,
AuditCategoryAccountManagement,
AuditCategoryDirectoryServiceAccess,
AuditCategoryAccountLogon
} POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE;
//
// The following defines describe the auditing options for each
// event type
//
// Leave options specified for this event unchanged
#define POLICY_AUDIT_EVENT_UNCHANGED (0x00000000L)
// Audit successful occurrences of events of this type
#define POLICY_AUDIT_EVENT_SUCCESS (0x00000001L)
// Audit failed attempts to cause an event of this type to occur
#define POLICY_AUDIT_EVENT_FAILURE (0x00000002L)
#define POLICY_AUDIT_EVENT_NONE (0x00000004L)
// Mask of valid event auditing options
#define POLICY_AUDIT_EVENT_MASK \
(POLICY_AUDIT_EVENT_SUCCESS | \
POLICY_AUDIT_EVENT_FAILURE | \
POLICY_AUDIT_EVENT_UNCHANGED | \
POLICY_AUDIT_EVENT_NONE)
#ifdef _NTDEF_
// begin_ntifs
typedef UNICODE_STRING LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
typedef STRING LSA_STRING, *PLSA_STRING;
typedef OBJECT_ATTRIBUTES LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
// end_ntifs
#else // _NTDEF_
#ifndef IN
#define IN
#endif
#ifndef OUT
#define OUT
#endif
#ifndef OPTIONAL
#define OPTIONAL
#endif
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
typedef struct _LSA_STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} LSA_STRING, *PLSA_STRING;
typedef struct _LSA_OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PLSA_UNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
} LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
#endif // _NTDEF_
//
// Macro for determining whether an API succeeded.
//
#define LSA_SUCCESS(Error) ((LONG)(Error) >= 0)
#ifndef _NTLSA_IFS_
// begin_ntifs
NTSTATUS
NTAPI
LsaRegisterLogonProcess (
IN PLSA_STRING LogonProcessName,
OUT PHANDLE LsaHandle,
OUT PLSA_OPERATIONAL_MODE SecurityMode
);
// end_ntifs
// begin_ntsrv
NTSTATUS
NTAPI
LsaLogonUser (
IN HANDLE LsaHandle,
IN PLSA_STRING OriginName,
IN SECURITY_LOGON_TYPE LogonType,
IN ULONG AuthenticationPackage,
IN PVOID AuthenticationInformation,
IN ULONG AuthenticationInformationLength,
IN PTOKEN_GROUPS LocalGroups OPTIONAL,
IN PTOKEN_SOURCE SourceContext,
OUT PVOID *ProfileBuffer,
OUT PULONG ProfileBufferLength,
OUT PLUID LogonId,
OUT PHANDLE Token,
OUT PQUOTA_LIMITS Quotas,
OUT PNTSTATUS SubStatus
);
// end_ntsrv
// begin_ntifs
NTSTATUS
NTAPI
LsaLookupAuthenticationPackage (
IN HANDLE LsaHandle,
IN PLSA_STRING PackageName,
OUT PULONG AuthenticationPackage
);
NTSTATUS
NTAPI
LsaFreeReturnBuffer (
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaCallAuthenticationPackage (
IN HANDLE LsaHandle,
IN ULONG AuthenticationPackage,
IN PVOID ProtocolSubmitBuffer,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
);
NTSTATUS
NTAPI
LsaDeregisterLogonProcess (
IN HANDLE LsaHandle
);
NTSTATUS
NTAPI
LsaConnectUntrusted (
OUT PHANDLE LsaHandle
);
// end_ntifs
#endif // _NTLSA_IFS_
////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy Administration API datatypes and defines //
// //
////////////////////////////////////////////////////////////////////////////
//
// Possible locations for the Ds policy
//
#define POLICY_MACHINE_POLICY_LOCAL 0x0
#define POLICY_MACHINE_POLICY_DEFAULTED 0x1
#define POLICY_MACHINE_POLICY_EXPLICIT 0x2
#define POLICY_MACHINE_POLICY_UNKNOWN 0xFFFFFFFF // Internal flag only
//
// Access types for the Policy object
//
#define POLICY_VIEW_LOCAL_INFORMATION 0x00000001L
#define POLICY_VIEW_AUDIT_INFORMATION 0x00000002L
#define POLICY_GET_PRIVATE_INFORMATION 0x00000004L
#define POLICY_TRUST_ADMIN 0x00000008L
#define POLICY_CREATE_ACCOUNT 0x00000010L
#define POLICY_CREATE_SECRET 0x00000020L
#define POLICY_CREATE_PRIVILEGE 0x00000040L
#define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080L
#define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100L
#define POLICY_AUDIT_LOG_ADMIN 0x00000200L
#define POLICY_SERVER_ADMIN 0x00000400L
#define POLICY_LOOKUP_NAMES 0x00000800L
#define POLICY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
POLICY_VIEW_LOCAL_INFORMATION |\
POLICY_VIEW_AUDIT_INFORMATION |\
POLICY_GET_PRIVATE_INFORMATION |\
POLICY_TRUST_ADMIN |\
POLICY_CREATE_ACCOUNT |\
POLICY_CREATE_SECRET |\
POLICY_CREATE_PRIVILEGE |\
POLICY_SET_DEFAULT_QUOTA_LIMITS |\
POLICY_SET_AUDIT_REQUIREMENTS |\
POLICY_AUDIT_LOG_ADMIN |\
POLICY_SERVER_ADMIN |\
POLICY_LOOKUP_NAMES )
#define POLICY_READ (STANDARD_RIGHTS_READ |\
POLICY_VIEW_AUDIT_INFORMATION |\
POLICY_GET_PRIVATE_INFORMATION)
#define POLICY_WRITE (STANDARD_RIGHTS_WRITE |\
POLICY_TRUST_ADMIN |\
POLICY_CREATE_ACCOUNT |\
POLICY_CREATE_SECRET |\
POLICY_CREATE_PRIVILEGE |\
POLICY_SET_DEFAULT_QUOTA_LIMITS |\
POLICY_SET_AUDIT_REQUIREMENTS |\
POLICY_AUDIT_LOG_ADMIN |\
POLICY_SERVER_ADMIN)
#define POLICY_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
POLICY_VIEW_LOCAL_INFORMATION |\
POLICY_LOOKUP_NAMES )
//
// Policy object specific data types.
//
//
// The following data type is used to identify a domain
//
typedef struct _LSA_TRUST_INFORMATION {
LSA_UNICODE_STRING Name;
PSID Sid;
} LSA_TRUST_INFORMATION, *PLSA_TRUST_INFORMATION;
// where members have the following usage:
//
// Name - The name of the domain.
//
// Sid - A pointer to the Sid of the Domain
//
//
// The following data type is used in name and SID lookup services to
// describe the domains referenced in the lookup operation.
//
typedef struct _LSA_REFERENCED_DOMAIN_LIST {
ULONG Entries;
PLSA_TRUST_INFORMATION Domains;
} LSA_REFERENCED_DOMAIN_LIST, *PLSA_REFERENCED_DOMAIN_LIST;
// where members have the following usage:
//
// Entries - Is a count of the number of domains described in the
// Domains array.
//
// Domains - Is a pointer to an array of Entries LSA_TRUST_INFORMATION data
// structures.
//
//
// The following data type is used in name to SID lookup services to describe
// the domains referenced in the lookup operation.
//
typedef struct _LSA_TRANSLATED_SID {
SID_NAME_USE Use;
ULONG RelativeId;
LONG DomainIndex;
} LSA_TRANSLATED_SID, *PLSA_TRANSLATED_SID;
// where members have the following usage:
//
// Use - identifies the use of the SID. If this value is SidUnknown or
// SidInvalid, then the remainder of the record is not set and
// should be ignored.
//
// RelativeId - Contains the relative ID of the translated SID. The
// remainder of the SID (the prefix) is obtained using the
// DomainIndex field.
//
// DomainIndex - Is the index of an entry in a related
// LSA_REFERENCED_DOMAIN_LIST data structure describing the
// domain in which the account was found.
//
// If there is no corresponding reference domain for an entry, then
// this field will contain a negative value.
//
//
// The following data type is used in SID to name lookup services to
// describe the domains referenced in the lookup operation.
//
typedef struct _LSA_TRANSLATED_NAME {
SID_NAME_USE Use;
LSA_UNICODE_STRING Name;
LONG DomainIndex;
} LSA_TRANSLATED_NAME, *PLSA_TRANSLATED_NAME;
// where the members have the following usage:
//
// Use - Identifies the use of the name. If this value is SidUnknown
// or SidInvalid, then the remainder of the record is not set and
// should be ignored. If this value is SidWellKnownGroup then the
// Name field is invalid, but the DomainIndex field is not.
//
// Name - Contains the isolated name of the translated SID.
//
// DomainIndex - Is the index of an entry in a related
// LSA_REFERENCED_DOMAIN_LIST data structure describing the domain
// in which the account was found.
//
// If there is no corresponding reference domain for an entry, then
// this field will contain a negative value.
//
//
// The following data type is used to represent the role of the LSA
// server (primary or backup).
//
typedef enum _POLICY_LSA_SERVER_ROLE {
PolicyServerRoleBackup = 2,
PolicyServerRolePrimary
} POLICY_LSA_SERVER_ROLE, *PPOLICY_LSA_SERVER_ROLE;
//
// The following data type is used to represent the state of the LSA
// server (enabled or disabled). Some operations may only be performed on
// an enabled LSA server.
//
typedef enum _POLICY_SERVER_ENABLE_STATE {
PolicyServerEnabled = 2,
PolicyServerDisabled
} POLICY_SERVER_ENABLE_STATE, *PPOLICY_SERVER_ENABLE_STATE;
//
// The following data type is used to specify the auditing options for
// an Audit Event Type.
//
typedef ULONG POLICY_AUDIT_EVENT_OPTIONS, *PPOLICY_AUDIT_EVENT_OPTIONS;
// where the following flags can be set:
//
// POLICY_AUDIT_EVENT_UNCHANGED - Leave existing auditing options
// unchanged for events of this type. This flag is only used for
// set operations. If this flag is set, then all other flags
// are ignored.
//
// POLICY_AUDIT_EVENT_NONE - Cancel all auditing options for events
// of this type. If this flag is set, the success/failure flags
// are ignored.
//
// POLICY_AUDIT_EVENT_SUCCESS - When auditing is enabled, audit all
// successful occurrences of events of the given type.
//
// POLICY_AUDIT_EVENT_FAILURE - When auditing is enabled, audit all
// unsuccessful occurrences of events of the given type.
//
//
// The following data type is used to return information about privileges
// defined on a system.
//
typedef struct _POLICY_PRIVILEGE_DEFINITION {
LSA_UNICODE_STRING Name;
LUID LocalValue;
} POLICY_PRIVILEGE_DEFINITION, *PPOLICY_PRIVILEGE_DEFINITION;
// where the members have the following usage:
//
// Name - Is the architected name of the privilege. This is the
// primary key of the privilege and the only value that is
// transportable between systems.
//
// Luid - is a LUID value assigned locally for efficient representation
// of the privilege. Ths value is meaningful only on the system it
// was assigned on and is not transportable in any way.
//
//
// The following data type defines the classes of Policy Information
// that may be queried/set.
//
typedef enum _POLICY_INFORMATION_CLASS {
PolicyAuditLogInformation = 1,
PolicyAuditEventsInformation,
PolicyPrimaryDomainInformation,
PolicyPdAccountInformation,
PolicyAccountDomainInformation,
PolicyLsaServerRoleInformation,
PolicyReplicaSourceInformation,
PolicyDefaultQuotaInformation,
PolicyModificationInformation,
PolicyAuditFullSetInformation,
PolicyAuditFullQueryInformation,
PolicyDnsDomainInformation,
PolicyEfsInformation
} POLICY_INFORMATION_CLASS, *PPOLICY_INFORMATION_CLASS;
//
// The following data type corresponds to the PolicyAuditLogInformation
// information class. It is used to represent information relating to
// the Audit Log.
//
// This structure may be used in both query and set operations. However,
// when used in set operations, some fields are ignored.
//
typedef struct _POLICY_AUDIT_LOG_INFO {
ULONG AuditLogPercentFull;
ULONG MaximumLogSize;
LARGE_INTEGER AuditRetentionPeriod;
BOOLEAN AuditLogFullShutdownInProgress;
LARGE_INTEGER TimeToShutdown;
ULONG NextAuditRecordId;
} POLICY_AUDIT_LOG_INFO, *PPOLICY_AUDIT_LOG_INFO;
// where the members have the following usage:
//
// AuditLogPercentFull - Indicates the percentage of the Audit Log
// currently being used.
//
// MaximumLogSize - Specifies the maximum size of the Audit Log in
// kilobytes.
//
// AuditRetentionPeriod - Indicates the length of time that Audit
// Records are to be retained. Audit Records are discardable
// if their timestamp predates the current time minus the
// retention period.
//
// AuditLogFullShutdownInProgress - Indicates whether or not a system
// shutdown is being initiated due to the security Audit Log becoming
// full. This condition will only occur if the system is configured
// to shutdown when the log becomes full.
//
// TRUE indicates that a shutdown is in progress
// FALSE indicates that a shutdown is not in progress.
//
// Once a shutdown has been initiated, this flag will be set to
// TRUE. If an administrator is able to currect the situation
// before the shutdown becomes irreversible, then this flag will
// be reset to false.
//
// This field is ignored for set operations.
//
// TimeToShutdown - If the AuditLogFullShutdownInProgress flag is set,
// then this field contains the time left before the shutdown
// becomes irreversible.
//
// This field is ignored for set operations.
//
//
// The following data type corresponds to the PolicyAuditEventsInformation
// information class. It is used to represent information relating to
// the audit requirements.
//
typedef struct _POLICY_AUDIT_EVENTS_INFO {
BOOLEAN AuditingMode;
PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
ULONG MaximumAuditEventCount;
} POLICY_AUDIT_EVENTS_INFO, *PPOLICY_AUDIT_EVENTS_INFO;
// where the members have the following usage:
//
// AuditingMode - A Boolean variable specifying the Auditing Mode value.
// This value is interpreted as follows:
//
// TRUE - Auditing is to be enabled (set operations) or is enabled
// (query operations). Audit Records will be generated according
// to the Event Auditing Options in effect (see the
// EventAuditingOptions field.
//
// FALSE - Auditing is to be disabled (set operations) or is
// disabled (query operations). No Audit Records will be
// generated. Note that for set operations the Event Auditing
// Options in effect will still be updated as specified by the
// EventAuditingOptions field whether Auditing is enabled or
// disabled.
//
// EventAuditingOptions - Pointer to an array of Auditing Options
// indexed by Audit Event Type.
//
// MaximumAuditEventCount - Specifiesa count of the number of Audit
// Event Types specified by the EventAuditingOptions parameter. If
// this count is less than the number of Audit Event Types supported
// by the system, the Auditing Options for Event Types with IDs
// higher than (MaximumAuditEventCount + 1) are left unchanged.
//
//
// The following structure corresponds to the PolicyAccountDomainInformation
// information class.
//
typedef struct _POLICY_ACCOUNT_DOMAIN_INFO {
LSA_UNICODE_STRING DomainName;
PSID DomainSid;
} POLICY_ACCOUNT_DOMAIN_INFO, *PPOLICY_ACCOUNT_DOMAIN_INFO;
// where the members have the following usage:
//
// DomainName - Is the name of the domain
//
// DomainSid - Is the Sid of the domain
//
//
// The following structure corresponds to the PolicyPrimaryDomainInformation
// information class.
//
typedef struct _POLICY_PRIMARY_DOMAIN_INFO {
LSA_UNICODE_STRING Name;
PSID Sid;
} POLICY_PRIMARY_DOMAIN_INFO, *PPOLICY_PRIMARY_DOMAIN_INFO;
// where the members have the following usage:
//
// Name - Is the name of the domain
//
// Sid - Is the Sid of the domain
//
//
// The following structure corresponds to the PolicyDnsDomainInformation
// information class
//
typedef struct _POLICY_DNS_DOMAIN_INFO
{
LSA_UNICODE_STRING Name;
LSA_UNICODE_STRING DnsDomainName;
LSA_UNICODE_STRING DnsTreeName;
GUID DomainGuid;
PSID Sid;
} POLICY_DNS_DOMAIN_INFO, *PPOLICY_DNS_DOMAIN_INFO;
// where the members have the following usage:
//
// Name - Is the name of the Domain
//
// DnsDomainName - Is the DNS name of the domain
//
// DnsTreeName - Is the DNS tree name of the domain
//
// DomainGuid - Is the GUID of the domain
//
// Sid - Is the Sid of the domain
//
// The following structure corresponds to the PolicyPdAccountInformation
// information class. This structure may be used in Query operations
// only.
//
typedef struct _POLICY_PD_ACCOUNT_INFO {
LSA_UNICODE_STRING Name;
} POLICY_PD_ACCOUNT_INFO, *PPOLICY_PD_ACCOUNT_INFO;
// where the members have the following usage:
//
// Name - Is the name of an account in the domain that should be used
// for authentication and name/ID lookup requests.
//
//
// The following structure corresponds to the PolicyLsaServerRoleInformation
// information class.
//
typedef struct _POLICY_LSA_SERVER_ROLE_INFO {
POLICY_LSA_SERVER_ROLE LsaServerRole;
} POLICY_LSA_SERVER_ROLE_INFO, *PPOLICY_LSA_SERVER_ROLE_INFO;
// where the fields have the following usage:
//
// TBS
//
//
// The following structure corresponds to the PolicyReplicaSourceInformation
// information class.
//
typedef struct _POLICY_REPLICA_SOURCE_INFO {
LSA_UNICODE_STRING ReplicaSource;
LSA_UNICODE_STRING ReplicaAccountName;
} POLICY_REPLICA_SOURCE_INFO, *PPOLICY_REPLICA_SOURCE_INFO;
//
// The following structure corresponds to the PolicyDefaultQuotaInformation
// information class.
//
typedef struct _POLICY_DEFAULT_QUOTA_INFO {
QUOTA_LIMITS QuotaLimits;
} POLICY_DEFAULT_QUOTA_INFO, *PPOLICY_DEFAULT_QUOTA_INFO;
//
// The following structure corresponds to the PolicyModificationInformation
// information class.
//
typedef struct _POLICY_MODIFICATION_INFO {
LARGE_INTEGER ModifiedId;
LARGE_INTEGER DatabaseCreationTime;
} POLICY_MODIFICATION_INFO, *PPOLICY_MODIFICATION_INFO;
// where the members have the following usage:
//
// ModifiedId - Is a 64-bit unsigned integer that is incremented each
// time anything in the LSA database is modified. This value is
// only modified on Primary Domain Controllers.
//
// DatabaseCreationTime - Is the date/time that the LSA Database was
// created. On Backup Domain Controllers, this value is replicated
// from the Primary Domain Controller.
//
//
// The following structure type corresponds to the PolicyAuditFullSetInformation
// Information Class.
//
typedef struct _POLICY_AUDIT_FULL_SET_INFO {
BOOLEAN ShutDownOnFull;
} POLICY_AUDIT_FULL_SET_INFO, *PPOLICY_AUDIT_FULL_SET_INFO;
//
// The following structure type corresponds to the PolicyAuditFullQueryInformation
// Information Class.
//
typedef struct _POLICY_AUDIT_FULL_QUERY_INFO {
BOOLEAN ShutDownOnFull;
BOOLEAN LogIsFull;
} POLICY_AUDIT_FULL_QUERY_INFO, *PPOLICY_AUDIT_FULL_QUERY_INFO;
//
// The following structure corresponds to the PolicyEfsInformation
// information class
//
typedef struct _POLICY_EFS_INFO {
ULONG InfoLength;
PUCHAR EfsBlob;
} POLICY_EFS_INFO, *PPOLICY_EFS_INFO;
// where the members have the following usage:
//
// InfoLength - Length of the EFS Information blob
//
// EfsBlob - Efs blob data
//
//
// The following data type defines the classes of Policy Information
// that may be queried/set for the local machine.
//
typedef enum _POLICY_LOCAL_INFORMATION_CLASS {
PolicyLocalAuditEventsInformation = 1,
PolicyLocalPdAccountInformation,
PolicyLocalAccountDomainInformation,
PolicyLocalLsaServerRoleInformation,
PolicyLocalReplicaSourceInformation,
PolicyLocalModificationInformation,
PolicyLocalAuditFullSetInformation,
PolicyLocalAuditFullQueryInformation,
PolicyLocalDnsDomainInformation,
PolicyLocalIPSecReferenceInformation,
PolicyLocalMachinePasswordInformation,
PolicyLocalQualityOfServiceInformation,
PolicyLocalPolicyLocationInformation
} POLICY_LOCAL_INFORMATION_CLASS, *PPOLICY_LOCAL_INFORMATION_CLASS;
//
// The following data type corresponds to the PolicyLocalIPSecReferenceInformation
// information class. It is used to represent information relating to
// the IPSec object reference.
//
// This structure may be used in both query and set operations. However,
// when used in set operations, some fields are ignored.
//
typedef struct _POLICY_LOCAL_IPSEC_REFERENCE_INFO {
LSA_UNICODE_STRING ObjectPath;
} POLICY_LOCAL_IPSEC_REFERENCE_INFO, *PPOLICY_LOCAL_IPSEC_REFERENCE_INFO;
// where the members have the following usage:
//
// ObjectPath - A unicode string giving the Ds path to the object
//
// ObjectId - Specifies the GUID of the object
//
//
// Machine password information. Corresponds to PolicyLocalMachinePasswordInformation
//
typedef struct _POLICY_LOCAL_MACHINE_PASSWORD_INFO {
LARGE_INTEGER PasswordChangeInterval;
} POLICY_LOCAL_MACHINE_PASSWORD_INFO, *PPOLICY_LOCAL_MACHINE_PASSWORD_INFO;
//
// where the members have the following usage:
//
// PasswordChangeInterval - Duration between password changes
//
//
// Policy location information. Corresponds to PolicyLocalPolicyLocationInformation
//
#define POLICY_LOCATION_LOCAL 1
#define POLICY_LOCATION_DS 2
typedef struct _POLICY_LOCAL_POLICY_LOCATION_INFO {
ULONG PolicyLocation;
} POLICY_LOCAL_POLICY_LOCATION_INFO, *PPOLICY_LOCAL_POLICY_LOCATION_INFO;
//
// QualityOfService information. Corresponds to PolicyLocalQualityOfServiceInformation
//
#define POLICY_QOS_SCHANEL_REQUIRED 0x00000001
#define POLICY_QOS_OUTBOUND_INTEGRITY 0x00000002
#define POLICY_QOS_OUTBOUND_CONFIDENTIALITY 0x00000004
#define POLICY_QOS_INBOUND_INTEGREITY 0x00000008
#define POLICY_QOS_INBOUND_CONFIDENTIALITY 0x00000010
#define POLICY_QOS_ALLOW_LOCAL_ROOT_CERT_STORE 0x00000020
#define POLICY_QOS_RAS_SERVER_ALLOWED 0x00000040
#define POLICY_QOS_DHCP_SERVER_ALLOWD 0x00000080
//
// Bits 0x00000100 through 0xFFFFFFFF are reserved for future use.
//
typedef struct _POLICY_LOCAL_QUALITY_OF_SERVICE_INFO {
ULONG QualityOfService;
} POLICY_LOCAL_QUALITY_OF_SERVICE_INFO, *PPOLICY_LOCAL_QUALITY_OF_SERVICE_INFO;
//
// where the members have the following usage:
//
// QualityOfService - Determines what specific QOS actions a machine should take
//
//
// The following data type defines the classes of Policy Information
// that may be queried/set that has domain wide effect.
//
typedef enum _POLICY_DOMAIN_INFORMATION_CLASS {
PolicyDomainIPSecReferenceInformation = 1,
PolicyDomainQualityOfServiceInformation,
PolicyDomainEfsInformation,
PolicyDomainPublicKeyInformation,
PolicyDomainPasswordPolicyInformation,
PolicyDomainLockoutInformation,
PolicyDomainKerberosTicketInformation
} POLICY_DOMAIN_INFORMATION_CLASS, *PPOLICY_DOMAIN_INFORMATION_CLASS;
typedef struct _POLICY_LOCAL_QUALITY_OF_SERVICE_INFO POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO;
typedef struct _POLICY_LOCAL_QUALITY_OF_SERVICE_INFO *PPOLICY_DOMAIN_QUALITY_OF_SERVICE_INFO;
//
// The following structure corresponds to the PolicyDomainPublicKeyInformation
// information class
//
typedef struct _POLICY_DOMAIN_PUBLIC_KEY_INFO {
ULONG InfoLength;
PUCHAR PublicKeyInfo;
} POLICY_DOMAIN_PUBLIC_KEY_INFO, *PPOLICY_DOMAIN_PUBLIC_KEY_INFO;
// where the members have the following usage:
//
// InfoLength - Length of the PublicKey Information blob
//
// PublicKeyInfo - PublicKey information blob
//
//
// The following structure corresponds to the PolicyDomainLockoutInformation
// information class
//
typedef struct _POLICY_DOMAIN_LOCKOUT_INFO {
LARGE_INTEGER LockoutDuration; //Must be a Delta time
LARGE_INTEGER LockoutObservationWindow; //Must be a Delta time
USHORT LockoutThreshold; //Zero means no lockout
} POLICY_DOMAIN_LOCKOUT_INFO, *PPOLICY_DOMAIN_LOCKOUT_INFO;
//
// The following structure corresponds to the PolicyPasswordPolicyInformation
//
typedef struct _POLICY_DOMAIN_PASSWORD_INFO {
USHORT MinPasswordLength;
USHORT PasswordHistoryLength;
ULONG PasswordProperties;
LARGE_INTEGER MaxPasswordAge;
LARGE_INTEGER MinPasswordAge;
} POLICY_DOMAIN_PASSWORD_INFO, *PPOLICY_DOMAIN_PASSWORD_INFO;
//
// The following structure corresponds to the PolicyDomainKerberosTicketInformation
// information class
#define POLICY_KERBEROS_FORWARDABLE 0x00000001
#define POLICY_KERBEROS_PROXYABLE 0x00000002
#define POLICY_KERBEROS_RENEWABLE 0x00000004
#define POLICY_KERBEROS_POSTDATEABLE 0x00000008
typedef struct _POLICY_DOMAIN_KERBEROS_TICKET_INFO {
ULONG AuthenticationOptions;
LARGE_INTEGER MinTicketAge;
LARGE_INTEGER MaxTicketAge;
LARGE_INTEGER MaxRenewAge;
LARGE_INTEGER ProxyLifetime;
LARGE_INTEGER ForceLogoff;
} POLICY_DOMAIN_KERBEROS_TICKET_INFO, *PPOLICY_DOMAIN_KERBEROS_TICKET_INFO;
//
// where the members have the following usage
//
// AuthenticationOptions -- allowed ticket options (POLICY_KERBEROS_* flags )
//
// MinTicketAge -- Minimum lifetime for a ticket
//
// MaxTicketAge -- Maximum lifetime for a ticket
//
// MaxRenewAge -- Maximum cumulative age a renewable ticket can be with
// requring authentication
//
// ProxyLifetime -- Maximum lifetime for a proxy tickey
//
// ForceLogoff -- Maximum duration before forcing a user to logoff whose ticket has
// expired.
//
// LSA RPC Context Handle (Opaque form). Note that a Context Handle is
// always a pointer type unlike regular handles.
//
typedef PVOID LSA_HANDLE, *PLSA_HANDLE;
//
// Trusted Domain Object specific data types
//
//
// This data type defines the following information classes that may be
// queried or set.
//
typedef enum _TRUSTED_INFORMATION_CLASS {
TrustedDomainNameInformation = 1,
TrustedControllersInformation,
TrustedPosixOffsetInformation,
TrustedPasswordInformation,
TrustedDomainInformationBasic,
TrustedDomainInformationEx,
TrustedDomainAuthInformation,
TrustedDomainFullInformation
} TRUSTED_INFORMATION_CLASS, *PTRUSTED_INFORMATION_CLASS;
//
// The following data type corresponds to the TrustedDomainNameInformation
// information class.
//
typedef struct _TRUSTED_DOMAIN_NAME_INFO {
LSA_UNICODE_STRING Name;
} TRUSTED_DOMAIN_NAME_INFO, *PTRUSTED_DOMAIN_NAME_INFO;
// where members have the following meaning:
//
// Name - The name of the Trusted Domain.
//
//
// The following data type corresponds to the TrustedControllersInformation
// information class.
//
typedef struct _TRUSTED_CONTROLLERS_INFO {
ULONG Entries;
PLSA_UNICODE_STRING Names;
} TRUSTED_CONTROLLERS_INFO, *PTRUSTED_CONTROLLERS_INFO;
// where members have the following meaning:
//
// Entries - Indicate how mamy entries there are in the Names array.
//
// Names - Pointer to an array of LSA_UNICODE_STRING structures containing the
// names of domain controllers of the domain. This information may not
// be accurate and should be used only as a hint. The order of this
// list is considered significant and will be maintained.
//
// By convention, the first name in this list is assumed to be the
// Primary Domain Controller of the domain. If the Primary Domain
// Controller is not known, the first name should be set to the NULL
// string.
//
//
// The following data type corresponds to the TrustedPosixOffsetInformation
// information class.
//
typedef struct _TRUSTED_POSIX_OFFSET_INFO {
ULONG Offset;
} TRUSTED_POSIX_OFFSET_INFO, *PTRUSTED_POSIX_OFFSET_INFO;
// where members have the following meaning:
//
// Offset - Is an offset to use for the generation of Posix user and group
// IDs from SIDs. The Posix ID corresponding to any particular SID is
// generated by adding the RID of that SID to the Offset of the SID's
// corresponding TrustedDomain object.
//
//
// The following data type corresponds to the TrustedPasswordInformation
// information class.
//
typedef struct _TRUSTED_PASSWORD_INFO {
LSA_UNICODE_STRING Password;
LSA_UNICODE_STRING OldPassword;
} TRUSTED_PASSWORD_INFO, *PTRUSTED_PASSWORD_INFO;
typedef LSA_TRUST_INFORMATION TRUSTED_DOMAIN_INFORMATION_BASIC;
typedef PLSA_TRUST_INFORMATION *PTRUSTED_DOMAIN_INFORMATION_BASIC;
//
// Direction of the trust
//
#define TRUST_DIRECTION_DISABLED 0x00000000
#define TRUST_DIRECTION_INBOUND 0x00000001
#define TRUST_DIRECTION_OUTBOUND 0x00000002
#define TRUST_DIRECTION_BIDIRECTIONAL (TRUST_DIRECTION_INBOUND | TRUST_DIRECTION_OUTBOUND)
#define TRUST_TYPE_DOWNLEVEL 0x00000001 // NT4 and before
#define TRUST_TYPE_UPLEVEL 0x00000002 // NT5
#define TRUST_TYPE_MIT 0x00000003 // Trust with a MIT Kerberos realm
#define TRUST_TYPE_DCE 0x00000004 // Trust with a DCE realm
// Levels 0x5 - 0x000FFFFF reserved for future use
// Provider specific trust levels are from 0x00100000 to 0xFFF00000
#define TRUST_ATTRIBUTE_NON_TRANSITIVE 0x00000001 // Disallow transitivity
#define TRUST_ATTRIBUTE_UPLEVEL_ONLY 0x00000002 // Trust link only valid
// for uplevel client
#define TRUST_ATTRIBUTE_TREE_PARENT 0x00400000 // Denotes that we are setting the trust
// to our parent in the org tree...
// Trust attributes 0x00000004 through 0x004FFFFFFF reserved for future use
// Trust attributes 0x00F00000 through 0x00400000 are reserved for internal use
// Trust attributes 0x01000000 through 0xFF000000 are reserved for user
// defined values
#define TRUST_ATTRIBUTES_VALID 0xFF02FFFF
typedef struct _TRUSTED_DOMAIN_INFORMATION_EX {
LSA_UNICODE_STRING Name;
LSA_UNICODE_STRING FlatName;
PSID Sid;
ULONG TrustDirection;
ULONG TrustType;
ULONG TrustAttributes;
} TRUSTED_DOMAIN_INFORMATION_EX, *PTRUSTED_DOMAIN_INFORMATION_EX;
//
// Type of authentication information
//
#define TRUST_AUTH_TYPE_NONE 0 // Ignore this entry
#define TRUST_AUTH_TYPE_NT4OWF 1 // NT4 OWF password
#define TRUST_AUTH_TYPE_CLEAR 2 // Cleartext password
typedef struct _LSA_AUTH_INFORMATION {
LARGE_INTEGER LastUpdateTime;
ULONG AuthType;
ULONG AuthInfoLength;
PUCHAR AuthInfo;
} LSA_AUTH_INFORMATION, *PLSA_AUTH_INFORMATION;
typedef struct _TRUSTED_DOMAIN_AUTH_INFORMATION {
ULONG IncomingAuthInfos;
PLSA_AUTH_INFORMATION IncomingAuthenticationInformation;
PLSA_AUTH_INFORMATION IncomingPreviousAuthenticationInformation;
ULONG OutgoingAuthInfos;
PLSA_AUTH_INFORMATION OutgoingAuthenticationInformation;
PLSA_AUTH_INFORMATION OutgoingPreviousAuthenticationInformation;
} TRUSTED_DOMAIN_AUTH_INFORMATION, *PTRUSTED_DOMAIN_AUTH_INFORMATION;
typedef struct _TRUSTED_DOMAIN_FULL_INFORMATION {
TRUSTED_DOMAIN_INFORMATION_EX Information;
TRUSTED_POSIX_OFFSET_INFO PosixOffset;
TRUSTED_DOMAIN_AUTH_INFORMATION AuthInformation;
} TRUSTED_DOMAIN_FULL_INFORMATION, *PTRUSTED_DOMAIN_FULL_INFORMATION;
//
// LSA Enumeration Context
//
typedef ULONG LSA_ENUMERATION_HANDLE, *PLSA_ENUMERATION_HANDLE;
//
// LSA Enumeration Information
//
typedef struct _LSA_ENUMERATION_INFORMATION {
PSID Sid;
} LSA_ENUMERATION_INFORMATION, *PLSA_ENUMERATION_INFORMATION;
////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - Miscellaneous API function prototypes //
// //
////////////////////////////////////////////////////////////////////////////
NTSTATUS
NTAPI
LsaFreeMemory(
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaClose(
IN LSA_HANDLE ObjectHandle
);
NTSTATUS
NTAPI
LsaOpenPolicy(
IN PLSA_UNICODE_STRING SystemName OPTIONAL,
IN PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
IN ACCESS_MASK DesiredAccess,
IN OUT PLSA_HANDLE PolicyHandle
);
NTSTATUS
NTAPI
LsaQueryInformationPolicy(
IN LSA_HANDLE PolicyHandle,
IN POLICY_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer
);
NTSTATUS
NTAPI
LsaSetInformationPolicy(
IN LSA_HANDLE PolicyHandle,
IN POLICY_INFORMATION_CLASS InformationClass,
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaQueryLocalInformationPolicy(
IN LSA_HANDLE PolicyHandle,
IN POLICY_LOCAL_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer
);
NTSTATUS
NTAPI
LsaSetLocalInformationPolicy(
IN LSA_HANDLE PolicyHandle,
IN POLICY_LOCAL_INFORMATION_CLASS InformationClass,
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaQueryDomainInformationPolicy(
IN LSA_HANDLE PolicyHandle,
IN POLICY_DOMAIN_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer
);
NTSTATUS
NTAPI
LsaSetDomainInformationPolicy(
IN LSA_HANDLE PolicyHandle,
IN POLICY_DOMAIN_INFORMATION_CLASS InformationClass,
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaEnumerateTrustedDomains(
IN LSA_HANDLE PolicyHandle,
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
OUT PVOID *Buffer,
IN ULONG PreferedMaximumLength,
OUT PULONG CountReturned
);
NTSTATUS
NTAPI
LsaLookupNames(
IN LSA_HANDLE PolicyHandle,
IN ULONG Count,
IN PLSA_UNICODE_STRING Names,
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
OUT PLSA_TRANSLATED_SID *Sids
);
NTSTATUS
NTAPI
LsaLookupSids(
IN LSA_HANDLE PolicyHandle,
IN ULONG Count,
IN PSID *Sids,
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
OUT PLSA_TRANSLATED_NAME *Names
);
#define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight")
#define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
#define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
//
// This new API returns all the accounts with a certain privilege
//
NTSTATUS
NTAPI
LsaEnumerateAccountsWithUserRight(
IN LSA_HANDLE PolicyHandle,
IN OPTIONAL PLSA_UNICODE_STRING UserRights,
OUT PVOID *EnumerationBuffer,
OUT PULONG CountReturned
);
//
// These new APIs differ by taking a SID instead of requiring the caller
// to open the account first and passing in an account handle
//
NTSTATUS
NTAPI
LsaEnumerateAccountRights(
IN LSA_HANDLE PolicyHandle,
IN PSID AccountSid,
OUT PLSA_UNICODE_STRING *UserRights,
OUT PULONG CountOfRights
);
NTSTATUS
NTAPI
LsaAddAccountRights(
IN LSA_HANDLE PolicyHandle,
IN PSID AccountSid,
IN PLSA_UNICODE_STRING UserRights,
IN ULONG CountOfRights
);
NTSTATUS
NTAPI
LsaRemoveAccountRights(
IN LSA_HANDLE PolicyHandle,
IN PSID AccountSid,
IN BOOLEAN AllRights,
IN PLSA_UNICODE_STRING UserRights,
IN ULONG CountOfRights
);
///////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - Trusted Domain Object API function prototypes //
// //
///////////////////////////////////////////////////////////////////////////////
NTSTATUS
NTAPI
LsaQueryTrustedDomainInfo(
IN LSA_HANDLE PolicyHandle,
IN PSID TrustedDomainSid,
IN TRUSTED_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer
);
NTSTATUS
NTAPI
LsaSetTrustedDomainInformation(
IN LSA_HANDLE PolicyHandle,
IN PSID TrustedDomainSid,
IN TRUSTED_INFORMATION_CLASS InformationClass,
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaDeleteTrustedDomain(
IN LSA_HANDLE PolicyHandle,
IN PSID TrustedDomainSid
);
NTSTATUS
NTAPI
LsaQueryTrustedDomainInfoByName(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING TrustedDomainName,
IN TRUSTED_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer
);
NTSTATUS
NTAPI
LsaSetTrustedDomainInfoByName(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING TrustedDomainName,
IN TRUSTED_INFORMATION_CLASS InformationClass,
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaEnumerateTrustedDomainsEx(
IN LSA_HANDLE PolicyHandle,
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
IN TRUSTED_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer,
IN ULONG PreferedMaximumLength,
OUT PULONG CountReturned
);
NTSTATUS
NTAPI
LsaCreateTrustedDomainEx(
IN LSA_HANDLE PolicyHandle,
IN PTRUSTED_DOMAIN_INFORMATION_EX TrustedDomainInformation,
IN PTRUSTED_DOMAIN_AUTH_INFORMATION AuthenticationInformation,
IN ACCESS_MASK DesiredAccess,
OUT PLSA_HANDLE TrustedDomainHandle
);
//
// This API sets the workstation password (equivalent of setting/getting
// the SSI_SECRET_NAME secret)
//
NTSTATUS
NTAPI
LsaStorePrivateData(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING KeyName,
IN PLSA_UNICODE_STRING PrivateData
);
NTSTATUS
NTAPI
LsaRetrievePrivateData(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING KeyName,
OUT PLSA_UNICODE_STRING * PrivateData
);
ULONG
NTAPI
LsaNtStatusToWinError(
NTSTATUS Status
);
//
// Define a symbol so we can tell if ntifs.h has been included.
//
// begin_ntifs
#ifndef _NTLSA_IFS_
#define _NTLSA_IFS_
#endif
// end_ntifs
#ifndef _NTDEF_
typedef LSA_UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING;
#endif
typedef NTSTATUS (*PSAM_PASSWORD_NOTIFICATION_ROUTINE) (
PUNICODE_STRING UserName,
ULONG RelativeId,
PUNICODE_STRING NewPassword
);
#define SAM_PASSWORD_CHANGE_NOTIFY_ROUTINE "PasswordChangeNotify"
typedef BOOLEAN (*PSAM_INIT_NOTIFICATION_ROUTINE) (
);
#define SAM_INIT_NOTIFICATION_ROUTINE "InitializeChangeNotify"
#define SAM_PASSWORD_FILTER_ROUTINE "PasswordFilter"
typedef BOOLEAN (*PSAM_PASSWORD_FILTER_ROUTINE) (
IN PUNICODE_STRING AccountName,
IN PUNICODE_STRING FullName,
IN PUNICODE_STRING Password,
IN BOOLEAN SetOperation
);
#ifdef __cplusplus
}
#endif
#endif /* _NTSECAPI_ */