/*++ Copyright (c) 1991 Microsoft Corporation Module Name: lsarpc.idl Abstract: Local Security Authority RPC Interface Definition File This file contains the RPC Interface Definition Language file for the LSA. This file includes all of the prototypes for the LSA functions that are callable via RPC. These functions are internal versions of API and are NOT visible to clients of the LSA. An LSA client calls the LSA API defined in file ntlsa.h. These API are wrappers which call client RPC stubs generated from this idl file by the RPC compiler. Author: Scott Birrell (ScottBi) April 23, 1991 Environment: User Mode Revision History: --*/ [ uuid(12345778-1234-ABCD-EF00-0123456789AB), version(0.0), #ifdef __midl ms_union, #endif // __midl pointer_default(unique) ] interface lsarpc { // // Import a dummy interface containing #includes for public .h files. This // trick is necessary so that midl will only generate marshalling routines // for subtypes that are relevant to the parameters specified on the RPC // interface. midl also ignores function prototypes contained therein. // import "lsaimp.idl" ; cpp_quote("#define LSA_LOOKUP_REVISION_1 0x1") cpp_quote("#define LSA_LOOKUP_REVISION_2 0x2") cpp_quote("#define LSA_LOOKUP_REVISION_LATEST LSA_LOOKUP_REVISION_2") // // Lsa Client version identifiers -- don't use see above // cpp_quote("#define LSA_CLIENT_PRE_NT5 0x1") cpp_quote("#define LSA_CLIENT_NT5 0x2") cpp_quote("#define LSA_CLIENT_LATEST 0x2") // // BUGBUG ScottBi - The parens have to be omitted from the operand // because midl grammar does not support them. // #define LSAPR_DB_AUDIT_EVENT_COUNT SeMaxAuditType + 1 // // LSA Generic Handle used to bind from client to server. // This handle is used for both LOCAL and REMOTE services. // typedef [handle] LPWSTR PLSAPR_SERVER_NAME, *PPLSAPR_SERVER_NAME; // // LSA RPC Context Handle (Internal definition of LSAPR_HANDLE) // typedef [context_handle] PVOID LSAPR_HANDLE; typedef LSAPR_HANDLE *PLSAPR_HANDLE; // // RPC definition of the SID structure. Note the use of the [size_is()] // qualifier to specify the number of elements in the variable size // imbedded SubAuthorityCount array at runtime. // // #pragma warning(disable:4200) typedef struct _LSAPR_SID { UCHAR Revision; UCHAR SubAuthorityCount; SID_IDENTIFIER_AUTHORITY IdentifierAuthority; [size_is(SubAuthorityCount)] ULONG SubAuthority[*]; } LSAPR_SID, *PLSAPR_SID, **PPLSAPR_SID; #pragma warning(default:4200) // // The following structure is used to identify an Account Object. // typedef struct _LSAPR_SID_INFORMATION { PLSAPR_SID Sid; } LSAPR_SID_INFORMATION, *PLSAPR_SID_INFORMATION; // // These definitions are repeated. // First one is for preprocessing of this file replacing // every occurence of LSA_MAXIMUM_LOOKUP_SIDS_COUNT in this file // with 0x5000 // Second one is for this definition to appear in the header file // #define LSA_MAXIMUM_LOOKUP_SIDS_COUNT 0x5000 cpp_quote("#define LSA_MAXIMUM_LOOKUP_SIDS_COUNT 0x5000") // // The following structure is used to hold an array of Sids. // typedef struct _LSAPR_SID_ENUM_BUFFER { [range(0, LSA_MAXIMUM_LOOKUP_SIDS_COUNT)] ULONG Entries; [size_is(Entries)] PLSAPR_SID_INFORMATION SidInfo; } LSAPR_SID_ENUM_BUFFER, *PLSAPR_SID_ENUM_BUFFER; // // The following structure is used to identify an Account Object. // typedef struct _LSAPR_ACCOUNT_INFORMATION { PLSAPR_SID Sid; } LSAPR_ACCOUNT_INFORMATION, *PLSAPR_ACCOUNT_INFORMATION; // // // Account Object Enumeration Buffer // typedef struct _LSAPR_ACCOUNT_ENUM_BUFFER { ULONG EntriesRead; [size_is(EntriesRead)] PLSAPR_ACCOUNT_INFORMATION Information; } LSAPR_ACCOUNT_ENUM_BUFFER, *PLSAPR_ACCOUNT_ENUM_BUFFER; // // BUGBUG ScottBi - Someday these should be an imported interface. // // Unicode strings are counted 16-bit character strings. // The Length field and MaximumLength fields specify number of bytes, // (not wide-characters) in the string. So, this definition differs // a bit from the real unicode string type. // typedef struct _LSAPR_UNICODE_STRING { USHORT Length; USHORT MaximumLength; // BUGBUG - ScottBi - MIDL will raise an exception if Length is 0. // Wrappers passing UNICODE STRINGS must pass NULL if string is length // zero [size_is(MaximumLength/2), length_is(Length/2)] PWSTR Buffer; } LSAPR_UNICODE_STRING, *PLSAPR_UNICODE_STRING; // // ANSI counted string // typedef struct _LSAPR_STRING { USHORT Length; USHORT MaximumLength; // [size_is(MaximumLength), length_is(Length)] PCHAR Buffer; [size_is(MaximumLength)] PCHAR Buffer; } LSAPR_STRING, *PLSAPR_STRING, LSAPR_ANSI_STRING, *PLSAPR_ANSI_STRING; // // RPC definition of an ACL. This must be manually maintained to be the same // as the real ACL definition in ntseapi.h // #pragma warning(disable:4200) typedef struct _LSAPR_ACL { UCHAR AclRevision; UCHAR Sbz1; USHORT AclSize; [size_is(AclSize - 4)] UCHAR Dummy1[*]; } LSAPR_ACL, *PLSAPR_ACL; #pragma warning(default:4200) // // RPC'able security descriptor definition. // typedef struct _LSAPR_SECURITY_DESCRIPTOR { UCHAR Revision; UCHAR Sbz1; SECURITY_DESCRIPTOR_CONTROL Control; PLSAPR_SID Owner; PLSAPR_SID Group; PLSAPR_ACL Sacl; PLSAPR_ACL Dacl; } LSAPR_SECURITY_DESCRIPTOR, *PLSAPR_SECURITY_DESCRIPTOR; // // RPC'able Self-Relative Security Descriptor Definition. // // // To prevent huge data to be passed in, we should put a limit on LSAPR_SR_SECURITY_DESCRIPTOR. // SecurityDescriptor is composed of // 1 Security Descriptor Relative // 2 SIDs // 2 ACLs // Therefore, currently; // Length <= sizeof(SECURITY_DESCRIPTOR_RELATIVE) + 2 * SECURITY_MAX_SID_SIZE + 2 * 2^ (sizeof(USHORT) * 8) // <= 20 + 2 * 68 + 2 * 64K // <= 131228 = approx 128K // To ensure future changes will work, 256K is an appropriate limit // #define MAX_SR_SECURITY_DESCRIPTOR_LENGTH ( 256 * 1024 ) typedef struct _LSAPR_SR_SECURITY_DESCRIPTOR { [range(0, MAX_SR_SECURITY_DESCRIPTOR_LENGTH)] ULONG Length; [size_is(Length)] PUCHAR SecurityDescriptor; } LSAPR_SR_SECURITY_DESCRIPTOR, *PLSAPR_SR_SECURITY_DESCRIPTOR; typedef struct _LSAPR_LUID_AND_ATTRIBUTES { OLD_LARGE_INTEGER Luid; ULONG Attributes; } LSAPR_LUID_AND_ATTRIBUTES, * PLSAPR_LUID_AND_ATTRIBUTES; // // Privilege Set - This is defined for a privilege set of one. // If more than one privilege is needed, then this structure // will need to be allocated with more space. // // Note: don't change this structure without fixing the INITIAL_PRIVILEGE_SET // structure (defined in se.h) // // // To prevent huge data to be passed in, we should put a limit on LSAPR_PRIVILEGE_SET. // There are currently 27 possible privileges. Having the possibility // of adding other privileges in the future, 1000 is large enough // that can't be reached in the near future, and small enough not to // cause memory problems. // #define MAX_PRIVILEGE_COUNT 1000 #pragma warning(disable:4200) typedef struct _LSAPR_PRIVILEGE_SET { [range(0, MAX_PRIVILEGE_COUNT)] ULONG PrivilegeCount; ULONG Control; [size_is(PrivilegeCount)] LSAPR_LUID_AND_ATTRIBUTES Privilege[*]; } LSAPR_PRIVILEGE_SET, *PLSAPR_PRIVILEGE_SET, **PPLSAPR_PRIVILEGE_SET; #pragma warning(default:4200) // // The following data type is used to return information about privileges // defined on a system. // typedef struct _LSAPR_POLICY_PRIVILEGE_DEF { LSAPR_UNICODE_STRING Name; LUID LocalValue; } LSAPR_POLICY_PRIVILEGE_DEF, *PLSAPR_POLICY_PRIVILEGE_DEF; // where the members have the following usage: // // Name - Is the architected name of the privilege. This is the // primary key of the privilege and the only value that is // transportable between systems. // // Luid - is a LUID value assigned locally for efficient representation // of the privilege. Ths value is meaningful only on the system it // was assigned on and is not transportable in any way. // // // The following structure is used to hold an array of returned Privileges. // typedef struct _LSAPR_PRIVILEGE_ENUM_BUFFER { ULONG Entries; [size_is(Entries)] PLSAPR_POLICY_PRIVILEGE_DEF Privileges; } LSAPR_PRIVILEGE_ENUM_BUFFER, *PLSAPR_PRIVILEGE_ENUM_BUFFER; // // RPC'able Object Attributes structure for LSA use. Note that the // OBJECT_ATTRIBUTES structure is LSA-specific in that the RootDirectory // field is a handle of the specific type LSAPR_HANDLE. // // WARNING! This MUST be kept in sync with the corresponding structure in // ntdef.h! Structure should be moved to an imported interface when // possible. // typedef struct _LSAPR_OBJECT_ATTRIBUTES { ULONG Length; PUCHAR RootDirectory; // This field is not used PSTRING ObjectName; ULONG Attributes; PLSAPR_SECURITY_DESCRIPTOR SecurityDescriptor; PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; } LSAPR_OBJECT_ATTRIBUTES, *PLSAPR_OBJECT_ATTRIBUTES; // // Clear value structure // typedef struct _LSAPR_CR_CLEAR_VALUE { ULONG Length; ULONG MaximumLength; [size_is(MaximumLength), length_is(Length)] PUCHAR Buffer; } LSAPR_CR_CLEAR_VALUE, *PLSAPR_CR_CLEAR_VALUE; // // Two-way encrypted value structure in Self-relative form. This // is just like a String. // // // To prevent huge data to be passed in, we should put a limit on LSAPR_CR_CIPHER_VALUE. // This structure contains a UNICODE_STRING in it, which is bounded by 64K since its // maximum length variable is a USHORT. During encyrption, an header of size 8 bytes // (CYPHER_BLOCK_LENGTH) is added. Relaxing this tight upperbound by a factor of 2 for // possible future needs. // #define MAX_CIPHER_SIZE ( 2 * ( ( 64 * 1024 ) + 8 ) ) typedef struct _LSAPR_CR_CIPHER_VALUE { [range(0, MAX_CIPHER_SIZE)] ULONG Length; [range(0, MAX_CIPHER_SIZE)] ULONG MaximumLength; [size_is(MaximumLength), length_is(Length)] PUCHAR Buffer; } LSAPR_CR_CIPHER_VALUE, *PLSAPR_CR_CIPHER_VALUE; // // LSA API Internal Function prototypes for RPC interface. Each function // takes similar (but not always identical) parameters to its corresponding // exported API. Client and server stubs are generated for the functions // specified here. The client stubs are called by the wrapper functions // in file rpcapi.c in the lsa\client directory. // // // The following data type is used to identify a domain // typedef struct _LSAPR_TRUST_INFORMATION { LSAPR_UNICODE_STRING Name; PLSAPR_SID Sid; } LSAPR_TRUST_INFORMATION, *PLSAPR_TRUST_INFORMATION; // where members have the following usage: // // Name - The name of the domain. // // Sid - A pointer to the Sid of the Domain // // // The following data type is used to fully identify a domain // Only used internally // typedef struct _LSAPR_TRUST_INFORMATION_EX { LSAPR_UNICODE_STRING DomainName; LSAPR_UNICODE_STRING FlatName; PLSAPR_SID Sid; BOOLEAN DomainNamesDiffer; ULONG TrustAttributes; } LSAPR_TRUST_INFORMATION_EX, *PLSAPR_TRUST_INFORMATION_EX; // where members have the following usage: // // DomainName - The name of the domain. Most likely the Dns domain name, // if DNS is active // // FlatName - Flat (NetBIOS) domain name // // Sid - A pointer to the Sid of the Domain // // // // Trusted Domain Object Enumeration Buffer // typedef struct _LSAPR_TRUSTED_ENUM_BUFFER { ULONG EntriesRead; [size_is(EntriesRead)] PLSAPR_TRUST_INFORMATION Information; } LSAPR_TRUSTED_ENUM_BUFFER, *PLSAPR_TRUSTED_ENUM_BUFFER; // // The following data type is used in name and SID lookup services to // describe the domains referenced in the lookup operation. // typedef struct _LSAPR_REFERENCED_DOMAIN_LIST { ULONG Entries; [size_is(Entries)] PLSAPR_TRUST_INFORMATION Domains; ULONG MaxEntries; } LSAPR_REFERENCED_DOMAIN_LIST, *PLSAPR_REFERENCED_DOMAIN_LIST; // where members have the following usage: // // Entries - Is a count of the number of domains described in the // Domains array. // // Domains - Is a pointer to an array of Entries LSA_TRUST_INFORMATION data // structures. // // // This returned flag indicates that the SID was resolved by SID history // cpp_quote("#define LSA_LOOKUP_SID_FOUND_BY_HISTORY 0x00000001") // // This returned flag indicates that the SID was not resolved but belongs // to an external trusted forest // cpp_quote("#define LSA_LOOKUP_SID_XFOREST_REF 0x00000002") typedef struct _LSAPR_TRANSLATED_SID_EX { SID_NAME_USE Use; ULONG RelativeId; LONG DomainIndex; ULONG Flags; } LSAPR_TRANSLATED_SID_EX, *PLSAPR_TRANSLATED_SID_EX; typedef struct _LSAPR_TRANSLATED_SID_EX2 { SID_NAME_USE Use; PLSAPR_SID Sid; // ULONG RelativeId; LONG DomainIndex; ULONG Flags; } LSAPR_TRANSLATED_SID_EX2, *PLSAPR_TRANSLATED_SID_EX2; // // These definitions are repeated. // First one is for preprocessing of this file replacing // every occurence of LSA_MAXIMUM_LOOKUP_NAMES_COUNT in this file // with 1000 // Second one is for this definition to appear in the header file // #define LSA_MAXIMUM_LOOKUP_NAMES_COUNT 1000 cpp_quote("#define LSA_MAXIMUM_LOOKUP_NAMES_COUNT 1000") // // The following data type is used in Sid to name lookup services to // reference the list of domains referenced in the lookup operation // // BUGBUG - ScottBi - When midl supports the size_is operand in its // full form with more than one operand, this intermediate structure // can be eliminated. // typedef struct _LSAPR_TRANSLATED_SIDS { [range(0, LSA_MAXIMUM_LOOKUP_NAMES_COUNT)] ULONG Entries; [size_is(Entries)] PLSA_TRANSLATED_SID Sids; } LSAPR_TRANSLATED_SIDS, *PLSAPR_TRANSLATED_SIDS; typedef struct _LSAPR_TRANSLATED_SIDS_EX { [range(0, LSA_MAXIMUM_LOOKUP_NAMES_COUNT)] ULONG Entries; [size_is(Entries)] PLSAPR_TRANSLATED_SID_EX Sids; } LSAPR_TRANSLATED_SIDS_EX, *PLSAPR_TRANSLATED_SIDS_EX; typedef struct _LSAPR_TRANSLATED_SIDS_EX2 { [range(0, LSA_MAXIMUM_LOOKUP_NAMES_COUNT)] ULONG Entries; [size_is(Entries)] PLSAPR_TRANSLATED_SID_EX2 Sids; } LSAPR_TRANSLATED_SIDS_EX2, *PLSAPR_TRANSLATED_SIDS_EX2; // // The following data type is used in SID to name lookup services to // describe the domains referenced in the lookup operation. // typedef struct _LSAPR_TRANSLATED_NAME { SID_NAME_USE Use; LSAPR_UNICODE_STRING Name; LONG DomainIndex; } LSAPR_TRANSLATED_NAME, *PLSAPR_TRANSLATED_NAME; // // This returned flag indicates that the name passed is not a SAM account name // (that is, it is someother format). // cpp_quote("#define LSA_LOOKUP_NAME_NOT_SAM_ACCOUNT_NAME 0x00000001") // // This returned flag indicates that the name passed in was not resolved // but does belong to a trusted forest. // cpp_quote("#define LSA_LOOKUP_NAME_XFOREST_REF 0x00000002") typedef struct _LSAPR_TRANSLATED_NAME_EX { SID_NAME_USE Use; LSAPR_UNICODE_STRING Name; LONG DomainIndex; ULONG Flags; } LSAPR_TRANSLATED_NAME_EX, *PLSAPR_TRANSLATED_NAME_EX; // where the members have the following usage: // // Use - Identifies the use of the name. If this value is SidUnknown // or SidInvalid, then the remainder of the record is not set and // should be ignored. If this value is SidWellKnownGroup then the // Name field is invalid, but the DomainIndex field is not. // // Name - Contains the isolated name of the translated SID. // // DomainIndex - Is the index of an entry in a related // LSA_REFERENCED_DOMAIN_LIST data structure describing the domain // in which the account was found. // // If there is no corresponding reference domain for an entry, then // this field will contain a negative value. // // // The following data type is used in Sid to name lookup services to // reference the list of domains referenced in the lookup operation // // BUGBUG - ScottBi - When midl supports the size_is operand in its // full form with more than one operand, this intermediate structure // can be eliminated. // typedef struct _LSAPR_TRANSLATED_NAMES { [range(0, LSA_MAXIMUM_LOOKUP_SIDS_COUNT)] ULONG Entries; [size_is(Entries)] PLSAPR_TRANSLATED_NAME Names; } LSAPR_TRANSLATED_NAMES, *PLSAPR_TRANSLATED_NAMES; typedef struct _LSAPR_TRANSLATED_NAMES_EX { [range(0, LSA_MAXIMUM_LOOKUP_SIDS_COUNT)] ULONG Entries; [size_is(Entries)] PLSAPR_TRANSLATED_NAME_EX Names; } LSAPR_TRANSLATED_NAMES_EX, *PLSAPR_TRANSLATED_NAMES_EX; // // The following structure corresponds to the PolicyAccountDomainInformation // information class. // typedef struct _LSAPR_POLICY_ACCOUNT_DOM_INFO { LSAPR_UNICODE_STRING DomainName; PLSAPR_SID DomainSid; } LSAPR_POLICY_ACCOUNT_DOM_INFO, *PLSAPR_POLICY_ACCOUNT_DOM_INFO; // where the members have the following usage: // // DomainName - Is the name of the domain // // DomainSid - Is the Sid of the domain // // // The following structure corresponds to the PolicyPrimaryDomainInformation // information class. // typedef struct _LSAPR_POLICY_PRIMARY_DOM_INFO { LSAPR_UNICODE_STRING Name; PLSAPR_SID Sid; } LSAPR_POLICY_PRIMARY_DOM_INFO, *PLSAPR_POLICY_PRIMARY_DOM_INFO; // where the members have the following usage: // // Name - Is the name of the domain // // Sid - Is the Sid of the domain // // // The following structure corresponds to the PolicyDnsDomainInformation // information class // typedef struct _LSAPR_POLICY_DNS_DOMAIN_INFO { LSAPR_UNICODE_STRING Name; LSAPR_UNICODE_STRING DnsDomainName; LSAPR_UNICODE_STRING DnsForestName; GUID DomainGuid; PLSAPR_SID Sid; } LSAPR_POLICY_DNS_DOMAIN_INFO, *PLSAPR_POLICY_DNS_DOMAIN_INFO; // where the members have the following usage: // // Name - Is the name of the Domain // // DnsDomainName - Is the DNS name of the domain // // DnsForestName - Is the DNS forest name of the domain // // DomainGuid - Is the GUID of the domain // // Sid - Is the Sid of the domain // // The following structure corresponds to the PolicyPdAccountInformation // information class. This structure may be used in Query operations // only. // typedef struct _LSAPR_POLICY_PD_ACCOUNT_INFO { LSAPR_UNICODE_STRING Name; } LSAPR_POLICY_PD_ACCOUNT_INFO, *PLSAPR_POLICY_PD_ACCOUNT_INFO; // where the members have the following usage: // // Name - Is the name of an account in the domain that should be used // for authentication and name/ID lookup requests. // // // The following structure corresponds to the PolicyReplicaSourceInformation // information class. // typedef struct _LSAPR_POLICY_REPLICA_SRCE_INFO { LSAPR_UNICODE_STRING ReplicaSource; LSAPR_UNICODE_STRING ReplicaAccountName; } LSAPR_POLICY_REPLICA_SRCE_INFO, *PLSAPR_POLICY_REPLICA_SRCE_INFO; // // To prevent huge data to be passed in, we should put a limit on LSAPR_POLICY_AUDIT_EVENTS_INFO. // 1000 AuditEvents is large enough that can't be reached in the near future, and small enough not // to cause memory problems. // #define MAX_AUDIT_EVENT_SIZE 1000 typedef struct _LSAPR_POLICY_AUDIT_EVENTS_INFO { BOOLEAN AuditingMode; [size_is(MaximumAuditEventCount)] PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions; [range(0, MAX_AUDIT_EVENT_SIZE)] ULONG MaximumAuditEventCount; } LSAPR_POLICY_AUDIT_EVENTS_INFO, *PLSAPR_POLICY_AUDIT_EVENTS_INFO; // // The following data type is used to hold Policy Information // of a given class. // typedef [switch_type(POLICY_INFORMATION_CLASS)] union _LSAPR_POLICY_INFORMATION { [case(PolicyAuditLogInformation)] POLICY_AUDIT_LOG_INFO PolicyAuditLogInfo; [case(PolicyAuditEventsInformation)] LSAPR_POLICY_AUDIT_EVENTS_INFO PolicyAuditEventsInfo; [case(PolicyPrimaryDomainInformation)] LSAPR_POLICY_PRIMARY_DOM_INFO PolicyPrimaryDomainInfo; [case(PolicyAccountDomainInformation)] LSAPR_POLICY_ACCOUNT_DOM_INFO PolicyAccountDomainInfo; [case(PolicyPdAccountInformation)] LSAPR_POLICY_PD_ACCOUNT_INFO PolicyPdAccountInfo; [case(PolicyLsaServerRoleInformation)] POLICY_LSA_SERVER_ROLE_INFO PolicyServerRoleInfo; [case(PolicyReplicaSourceInformation)] LSAPR_POLICY_REPLICA_SRCE_INFO PolicyReplicaSourceInfo; [case(PolicyDefaultQuotaInformation)] POLICY_DEFAULT_QUOTA_INFO PolicyDefaultQuotaInfo; [case(PolicyModificationInformation)] POLICY_MODIFICATION_INFO PolicyModificationInfo; [case(PolicyAuditFullSetInformation)] POLICY_AUDIT_FULL_SET_INFO PolicyAuditFullSetInfo; [case(PolicyAuditFullQueryInformation)] POLICY_AUDIT_FULL_QUERY_INFO PolicyAuditFullQueryInfo; [case(PolicyDnsDomainInformation)] LSAPR_POLICY_DNS_DOMAIN_INFO PolicyDnsDomainInfo; [case(PolicyDnsDomainInformationInt)] LSAPR_POLICY_DNS_DOMAIN_INFO PolicyDnsDomainInfoInt; } LSAPR_POLICY_INFORMATION; typedef LSAPR_POLICY_INFORMATION *PLSAPR_POLICY_INFORMATION; //*********************************************************************************************** // // NT5 level policy information. // // // The following structure corresponds to the PolicyDomainEfsInformation // information class // typedef struct _LSAPR_POLICY_DOMAIN_EFS_INFO { ULONG InfoLength; [size_is(InfoLength)] PUCHAR EfsBlob; } LSAPR_POLICY_DOMAIN_EFS_INFO, *PLSAPR_POLICY_DOMAIN_EFS_INFO; // where the members have the following usage: // // InfoLength - Length of the EFS Information blob // // EfsBlob - Efs blob data // typedef [switch_type(POLICY_DOMAIN_INFORMATION_CLASS)] union _LSAPR_POLICY_DOMAIN_INFORMATION { [case(PolicyDomainEfsInformation)] LSAPR_POLICY_DOMAIN_EFS_INFO PolicyDomainEfsInfo; [case(PolicyDomainKerberosTicketInformation)] POLICY_DOMAIN_KERBEROS_TICKET_INFO PolicyDomainKerbTicketInfo; } LSAPR_POLICY_DOMAIN_INFORMATION; typedef LSAPR_POLICY_DOMAIN_INFORMATION *PLSAPR_POLICY_DOMAIN_INFORMATION; // // The following data type corresponds to the TrustedDomainNameInformation // information class. // typedef struct _LSAPR_TRUSTED_DOMAIN_NAME_INFO { LSAPR_UNICODE_STRING Name; } LSAPR_TRUSTED_DOMAIN_NAME_INFO, *PLSAPR_TRUSTED_DOMAIN_NAME_INFO; // // The following data type corresponds to the TrustedControllersInformation // information class. // // // This structure is dead therefore we don't allow Entries to be greater // than 5. If you want to resurrect this structure, change the range // accordingly. typedef struct _LSAPR_TRUSTED_CONTROLLERS_INFO { [range(0, 5)] ULONG Entries; [size_is(Entries)] PLSAPR_UNICODE_STRING Names; } LSAPR_TRUSTED_CONTROLLERS_INFO, *PLSAPR_TRUSTED_CONTROLLERS_INFO; // where members have the following meaning: // // Entries - Indicate how mamy entries there are in the Names array. // // Names - Pointer to an array of UNICODE_STRING structures containing the // names of domain controllers of the domain. This information may not // be accurate and should be used only as a hint. The order of this // list is considered significant and will be maintained. // // By convention, the first name in this list is assumed to be the // Primary Domain Controller of the domain. If the Primary Domain // Controller is not known, the first name should be set to the NULL // string. // // // The following data type corresponds to the TrustedPasswordInformation // information class. // typedef struct _LSAPR_TRUSTED_PASSWORD_INFO { PLSAPR_CR_CIPHER_VALUE Password; PLSAPR_CR_CIPHER_VALUE OldPassword; } LSAPR_TRUSTED_PASSWORD_INFO, *PLSAPR_TRUSTED_PASSWORD_INFO; // where members have the following meaning: // // Password - Contains new password for the trusted domain // // OldPassword - Optionally contains the old password for the trusted // domain. // typedef struct _LSAPR_TRUSTED_DOMAIN_INFORMATION_EX { LSAPR_UNICODE_STRING Name; LSAPR_UNICODE_STRING FlatName; PLSAPR_SID Sid; ULONG TrustDirection; ULONG TrustType; ULONG TrustAttributes; } LSAPR_TRUSTED_DOMAIN_INFORMATION_EX, *PLSAPR_TRUSTED_DOMAIN_INFORMATION_EX; // // Type of authentication information // #define TRUST_AUTH_TYPE_NONE 0 // Ignore this entry #define TRUST_AUTH_TYPE_SECRET 1 // This is the equivalent to secret data #define TRUST_AUTY_TYPE_CLEAR 2 // Cleartext password // // To prevent huge data to be passed in, we should put a limit on LSAPR_AUTH_INFORMATION. // 64K is large enough that can't be reached in the near future, and small enough not to // cause memory problems. #define MAX_AUTHINFO_SIZE ( 64 * 1024 ) typedef struct _LSAPR_AUTH_INFORMATION { LARGE_INTEGER LastUpdateTime; ULONG AuthType; [range(0, MAX_AUTHINFO_SIZE)] ULONG AuthInfoLength; [size_is(AuthInfoLength)] PUCHAR AuthInfo; } LSAPR_AUTH_INFORMATION, *PLSAPR_AUTH_INFORMATION; typedef struct _LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION { ULONG IncomingAuthInfos; PLSAPR_AUTH_INFORMATION IncomingAuthenticationInformation; PLSAPR_AUTH_INFORMATION IncomingPreviousAuthenticationInformation; ULONG OutgoingAuthInfos; PLSAPR_AUTH_INFORMATION OutgoingAuthenticationInformation; PLSAPR_AUTH_INFORMATION OutgoingPreviousAuthenticationInformation; } LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION, *PLSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION; typedef struct _LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION { LSAPR_TRUSTED_DOMAIN_INFORMATION_EX Information; TRUSTED_POSIX_OFFSET_INFO PosixOffset; LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION AuthInformation; } LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION, *PLSAPR_TRUSTED_DOMAIN_FULL_INFORMATION; typedef LSAPR_TRUST_INFORMATION LSAPR_TRUSTED_DOMAIN_INFORMATION_BASIC; typedef PLSAPR_TRUST_INFORMATION PLSAPR_TRUSTED_DOMAIN_INFORMATION_BASIC; // // This structure indicates the auth data as read from a Ds object as a blob. It is // INTERNAL ONLY. The resultant blob is still encrypted // // // To prevent huge data to be passed in, we should put a limit on LSAPR_TRUSTED_DOMAIN_AUTH_BLOB. // 64K is large enough that can't be reached in the near future, and small enough not to // cause memory problems. #define MAX_AUTHBLOB_SIZE ( 64 * 1024 ) typedef struct _LSAPR_TRUSTED_DOMAIN_AUTH_BLOB { [range(0, MAX_AUTHBLOB_SIZE)] ULONG AuthSize; [size_is( AuthSize )] PUCHAR AuthBlob; } LSAPR_TRUSTED_DOMAIN_AUTH_BLOB, *PLSAPR_TRUSTED_DOMAIN_AUTH_BLOB; // // This structure represent the LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION structure on // the wire. // typedef struct _LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL { LSAPR_TRUSTED_DOMAIN_AUTH_BLOB AuthBlob; } LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL, *PLSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL; // // This structure represent the LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION structure on // the wire. // typedef struct _LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION_INTERNAL { LSAPR_TRUSTED_DOMAIN_INFORMATION_EX Information; TRUSTED_POSIX_OFFSET_INFO PosixOffset; LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL AuthInformation; } LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION_INTERNAL, *PLSAPR_TRUSTED_DOMAIN_FULL_INFORMATION_INTERNAL; typedef struct _LSAPR_TRUSTED_DOMAIN_INFORMATION_EX2 { LSAPR_UNICODE_STRING Name; LSAPR_UNICODE_STRING FlatName; PLSAPR_SID Sid; ULONG TrustDirection; ULONG TrustType; ULONG TrustAttributes; ULONG ForestTrustLength; [size_is(ForestTrustLength)] PUCHAR ForestTrustInfo; } LSAPR_TRUSTED_DOMAIN_INFORMATION_EX2, *PLSAPR_TRUSTED_DOMAIN_INFORMATION_EX2; typedef struct _LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION2 { LSAPR_TRUSTED_DOMAIN_INFORMATION_EX2 Information; TRUSTED_POSIX_OFFSET_INFO PosixOffset; LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION AuthInformation; } LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION2, *PLSAPR_TRUSTED_DOMAIN_FULL_INFORMATION2; // // The following data type is used to hold Trusted Domain Information // of a given class. // typedef [switch_type(TRUSTED_INFORMATION_CLASS)] union _LSAPR_TRUSTED_DOMAIN_INFO { [case(TrustedDomainNameInformation)] LSAPR_TRUSTED_DOMAIN_NAME_INFO TrustedDomainNameInfo; [case(TrustedControllersInformation)] LSAPR_TRUSTED_CONTROLLERS_INFO TrustedControllersInfo; [case(TrustedPosixOffsetInformation)] TRUSTED_POSIX_OFFSET_INFO TrustedPosixOffsetInfo; [case(TrustedPasswordInformation)] LSAPR_TRUSTED_PASSWORD_INFO TrustedPasswordInfo; [case(TrustedDomainInformationBasic)] LSAPR_TRUSTED_DOMAIN_INFORMATION_BASIC TrustedDomainInfoBasic; [case(TrustedDomainInformationEx)] LSAPR_TRUSTED_DOMAIN_INFORMATION_EX TrustedDomainInfoEx; [case(TrustedDomainAuthInformation)] LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION TrustedAuthInfo; [case(TrustedDomainFullInformation)] LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION TrustedFullInfo; [case(TrustedDomainAuthInformationInternal)] LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL TrustedAuthInfoInternal; [case(TrustedDomainFullInformationInternal)] LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION_INTERNAL TrustedFullInfoInternal; [case(TrustedDomainInformationEx2Internal)] LSAPR_TRUSTED_DOMAIN_INFORMATION_EX2 TrustedDomainInfoEx2; [case(TrustedDomainFullInformation2Internal)] LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION2 TrustedFullInfo2; } LSAPR_TRUSTED_DOMAIN_INFO; typedef LSAPR_TRUSTED_DOMAIN_INFO *PLSAPR_TRUSTED_DOMAIN_INFO; // // New types for NT3.51 - PPC release // typedef PLSAPR_UNICODE_STRING PLSAPR_UNICODE_STRING_ARRAY; // // Limit the number of rights a user can add or remove from an account to 256 // which is still several times the number of rights that an account can have // #define LSA_MAXIMUM_RIGHTS_COUNT 256 typedef struct _LSAPR_USER_RIGHT_SET { [range(0, LSA_MAXIMUM_RIGHTS_COUNT)] ULONG Entries; [size_is(Entries)] PLSAPR_UNICODE_STRING_ARRAY UserRights; } LSAPR_USER_RIGHT_SET, *PLSAPR_USER_RIGHT_SET; typedef struct _LSAPR_TRUSTED_ENUM_BUFFER_EX { ULONG EntriesRead; [size_is(EntriesRead)] PLSAPR_TRUSTED_DOMAIN_INFORMATION_EX EnumerationBuffer; } LSAPR_TRUSTED_ENUM_BUFFER_EX, *PLSAPR_TRUSTED_ENUM_BUFFER_EX; //////////////////////////////////////////////////////////////////////////// // // // BEGIN INTERNAL TEST ROUTINES ONLY - These are used for testing the // // LsaI* APIs. DO NOT EXPORT. They can be moved around at will // // // //////////////////////////////////////////////////////////////////////////// // // These internal test routines and their data structures are dead. Therefore, we will limit their size // by 0. If you want to ressurect them, change the range attributes appropriately. // typedef struct _LSAPR_TEST_INTERNAL_PARAMETER_BLOB { [range(0, 0)] ULONG Size; [size_is( Size )]PUCHAR Argument; } LSAPR_TEST_INTERNAL_PARAMETER_BLOB, *PLSAPR_TEST_INTERNAL_PARAMETER_BLOB; typedef struct _LSAPR_TEST_INTERNAL_ARG_LIST { [range(0, 0)] ULONG Items; [size_is( Items )] PLSAPR_TEST_INTERNAL_PARAMETER_BLOB Arg; } LSAPR_TEST_INTERNAL_ARG_LIST, *PLSAPR_TEST_INTERNAL_ARG_LIST; // // Internally tested routines // typedef enum _LSAPR_TEST_INTERNAL_ROUTINES { LsaTest_IEnumerateSecrets, LsaTest_IQueryDomainOrgInfo, LsaTest_ISetTrustedDomainAuthBlobs, LsaTest_IUpgradeRegistryToDs, LsaTest_ISamSetDomainObjectProperties, LsaTest_ISamSetDomainBuiltinGroupMembership, LsaTest_ISamSetInterdomainTrustPassword, LsaTest_IRegisterPolicyChangeNotificationCallback, LsaTest_IUnregisterPolicyChangeNotificationCallback, LsaTest_IUnregisterAllPolicyChangeNotificationCallback, LsaTest_IStartTransaction, LsaTest_IApplyTransaction, LsaTest_ITrustDomFixup, LsaTest_ISetServerRoleForBoot, LsaTest_IQueryForestTrustInfo, LsaTest_IBreak, LsaTest_IQueryTrustedDomainAuthBlobs, LsaTest_IQueryNt4Owf } LSAPR_TEST_INTERNAL_ROUTINES; //////////////////////////////////////////////////////////////////////////// // // // END INTERNAL TEST ROUTINES ONLY // // // //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// // // // Local Security Policy - Miscellaneous API function prototypes // // // //////////////////////////////////////////////////////////////////////////// NTSTATUS LsarClose( [in,out] LSAPR_HANDLE *ObjectHandle ); // // This routine is being superseded by LsarDeleteObject. The reason is // that a pointer to a handle rather than a handle is essential so that // RPC on the server side can clean up. Because of the need for RPC // interface comaptibility, the new routine has been added at the end // of the interface, // NTSTATUS LsarDelete( [in] LSAPR_HANDLE ObjectHandle ); NTSTATUS LsarEnumeratePrivileges( [in] LSAPR_HANDLE PolicyHandle, [in, out] PLSA_ENUMERATION_HANDLE EnumerationContext, [out] PLSAPR_PRIVILEGE_ENUM_BUFFER EnumerationBuffer, [in] ULONG PreferedMaximumLength ); NTSTATUS LsarQuerySecurityObject( [in] LSAPR_HANDLE ObjectHandle, [in] SECURITY_INFORMATION SecurityInformation, [out] PLSAPR_SR_SECURITY_DESCRIPTOR *SecurityDescriptor ); NTSTATUS LsarSetSecurityObject( [in] LSAPR_HANDLE ObjectHandle, [in] SECURITY_INFORMATION SecurityInformation, [in] PLSAPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor ); NTSTATUS LsarChangePassword( [in] PLSAPR_UNICODE_STRING ServerName, [in] PLSAPR_UNICODE_STRING DomainName, [in] PLSAPR_UNICODE_STRING AccountName, [in] PLSAPR_UNICODE_STRING OldPassword, [in] PLSAPR_UNICODE_STRING NewPassword ); /////////////////////////////////////////////////////////////////////////////// // // // Local Security Policy - Policy Object API function prototypes // // // /////////////////////////////////////////////////////////////////////////////// NTSTATUS LsarOpenPolicy( [in,unique] PLSAPR_SERVER_NAME SystemName, [in] PLSAPR_OBJECT_ATTRIBUTES ObjectAttributes, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE *PolicyHandle ); NTSTATUS LsarQueryInformationPolicy( [in] LSAPR_HANDLE PolicyHandle, [in] POLICY_INFORMATION_CLASS InformationClass, [out, switch_is(InformationClass)] PLSAPR_POLICY_INFORMATION *PolicyInformation ); NTSTATUS LsarSetInformationPolicy( [in] LSAPR_HANDLE PolicyHandle, [in] POLICY_INFORMATION_CLASS InformationClass, [in, switch_is(InformationClass)] PLSAPR_POLICY_INFORMATION PolicyInformation ); NTSTATUS LsarClearAuditLog( [in] LSAPR_HANDLE PolicyHandle ); NTSTATUS LsarCreateAccount( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_SID AccountSid, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE *AccountHandle ); NTSTATUS LsarEnumerateAccounts( [in] LSAPR_HANDLE PolicyHandle, [in] [out] PLSA_ENUMERATION_HANDLE EnumerationContext, [out] PLSAPR_ACCOUNT_ENUM_BUFFER EnumerationBuffer, [in] ULONG PreferedMaximumLength ); NTSTATUS LsarCreateTrustedDomain( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_TRUST_INFORMATION TrustedDomainInformation, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE *TrustedDomainHandle ); NTSTATUS LsarEnumerateTrustedDomains( [in] LSAPR_HANDLE PolicyHandle, [in] [out] PLSA_ENUMERATION_HANDLE EnumerationContext, [out] PLSAPR_TRUSTED_ENUM_BUFFER EnumerationBuffer, [in] ULONG PreferedMaximumLength ); NTSTATUS LsarLookupNames( [in] LSAPR_HANDLE PolicyHandle, [in, range(0, LSA_MAXIMUM_LOOKUP_NAMES_COUNT)] ULONG Count, [in, size_is(Count)] PLSAPR_UNICODE_STRING Names, [out] PLSAPR_REFERENCED_DOMAIN_LIST *ReferencedDomains, [in, out] PLSAPR_TRANSLATED_SIDS TranslatedSids, [in] LSAP_LOOKUP_LEVEL LookupLevel, [in, out] PULONG MappedCount ); NTSTATUS LsarLookupSids( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_SID_ENUM_BUFFER SidEnumBuffer, [out] PLSAPR_REFERENCED_DOMAIN_LIST *ReferencedDomains, [in, out] PLSAPR_TRANSLATED_NAMES TranslatedNames, [in] LSAP_LOOKUP_LEVEL LookupLevel, [in, out] PULONG MappedCount ); NTSTATUS LsarCreateSecret( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_UNICODE_STRING SecretName, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE *SecretHandle ); /////////////////////////////////////////////////////////////////////////////// // // // Local Security Policy - Account Object API function prototypes // // // /////////////////////////////////////////////////////////////////////////////// NTSTATUS LsarOpenAccount( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_SID AccountSid, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE *AccountHandle ); NTSTATUS LsarEnumeratePrivilegesAccount( [in] LSAPR_HANDLE AccountHandle, [out] PLSAPR_PRIVILEGE_SET *Privileges ); NTSTATUS LsarAddPrivilegesToAccount( [in] LSAPR_HANDLE AccountHandle, [in] PLSAPR_PRIVILEGE_SET Privileges ); NTSTATUS LsarRemovePrivilegesFromAccount( [in] LSAPR_HANDLE AccountHandle, [in] BOOLEAN AllPrivileges, [in, unique] PLSAPR_PRIVILEGE_SET Privileges ); NTSTATUS LsarGetQuotasForAccount( [in] LSAPR_HANDLE AccountHandle, [out] PQUOTA_LIMITS QuotaLimits ); NTSTATUS LsarSetQuotasForAccount( [in] LSAPR_HANDLE AccountHandle, [in] PQUOTA_LIMITS QuotaLimits ); NTSTATUS LsarGetSystemAccessAccount( [in] LSAPR_HANDLE AccountHandle, [out] PULONG SystemAccess ); NTSTATUS LsarSetSystemAccessAccount( [in] LSAPR_HANDLE AccountHandle, [in] ULONG SystemAccess ); /////////////////////////////////////////////////////////////////////////////// // // // Local Security Policy - Trusted Domain Object API function prototypes // // // /////////////////////////////////////////////////////////////////////////////// NTSTATUS LsarOpenTrustedDomain( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_SID TrustedDomainSid, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE *TrustedDomainHandle ); NTSTATUS LsarQueryInfoTrustedDomain( [in] LSAPR_HANDLE TrustedDomainHandle, [in] TRUSTED_INFORMATION_CLASS InformationClass, [out, switch_is(InformationClass)] PLSAPR_TRUSTED_DOMAIN_INFO *TrustedDomainInformation ); NTSTATUS LsarSetInformationTrustedDomain( [in] LSAPR_HANDLE TrustedDomainHandle, [in] TRUSTED_INFORMATION_CLASS InformationClass, [in, switch_is(InformationClass)] PLSAPR_TRUSTED_DOMAIN_INFO TrustedDomainInformation ); /////////////////////////////////////////////////////////////////////////////// // // // Local Security Policy - Secret Object API function prototypes // // // /////////////////////////////////////////////////////////////////////////////// NTSTATUS LsarOpenSecret( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_UNICODE_STRING SecretName, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE *SecretHandle ); NTSTATUS LsarSetSecret( [in] LSAPR_HANDLE SecretHandle, [in, unique] PLSAPR_CR_CIPHER_VALUE EncryptedCurrentValue, [in, unique] PLSAPR_CR_CIPHER_VALUE EncryptedOldValue ); NTSTATUS LsarQuerySecret( [in] LSAPR_HANDLE SecretHandle, [in, out, unique] PLSAPR_CR_CIPHER_VALUE *EncryptedCurrentValue, [in, out, unique] PLARGE_INTEGER CurrentValueSetTime, [in, out, unique] PLSAPR_CR_CIPHER_VALUE *EncryptedOldValue, [in, out, unique] PLARGE_INTEGER OldValueSetTime ); ///////////////////////////////////////////////////////////////////////// // // // Local Security Policy - Privilege Object API Prototypes // // // ///////////////////////////////////////////////////////////////////////// NTSTATUS LsarLookupPrivilegeValue( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_UNICODE_STRING Name, [out] PLUID Value ); NTSTATUS LsarLookupPrivilegeName( [in] LSAPR_HANDLE PolicyHandle, [in] PLUID Value, [out] PLSAPR_UNICODE_STRING *Name ); NTSTATUS LsarLookupPrivilegeDisplayName( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_UNICODE_STRING Name, [in] SHORT ClientLanguage, [in] SHORT ClientSystemDefaultLanguage, [out] PLSAPR_UNICODE_STRING *DisplayName, [out] PWORD LanguageReturned ); // // Important note: // // This routine will supersede LsarDelete. The difference is that, as on // LsarClose a pointer to a handle is required rather than a handle so that // LsarDeleteObject() can inform the RPC server calling stub that the handle // has been deleted by returning NULL. // NTSTATUS LsarDeleteObject( [in,out] LSAPR_HANDLE *ObjectHandle ); // // These APIs are new for nt 3.51 (PPC release) and will be emulated when // talking to old servers. // NTSTATUS LsarEnumerateAccountsWithUserRight( [in] LSAPR_HANDLE PolicyHandle, [in,unique] PLSAPR_UNICODE_STRING UserRight, [out] PLSAPR_ACCOUNT_ENUM_BUFFER EnumerationBuffer ); NTSTATUS LsarEnumerateAccountRights( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_SID AccountSid, [out] PLSAPR_USER_RIGHT_SET UserRights ); NTSTATUS LsarAddAccountRights( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_SID AccountSid, [in] PLSAPR_USER_RIGHT_SET UserRights ); NTSTATUS LsarRemoveAccountRights( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_SID AccountSid, [in] BOOLEAN AllRights, [in] PLSAPR_USER_RIGHT_SET UserRights ); NTSTATUS LsarQueryTrustedDomainInfo( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_SID TrustedDomainSid, [in] TRUSTED_INFORMATION_CLASS InformationClass, [out, switch_is(InformationClass)] PLSAPR_TRUSTED_DOMAIN_INFO * TrustedDomainInformation ); NTSTATUS LsarSetTrustedDomainInfo( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_SID TrustedDomainSid, [in] TRUSTED_INFORMATION_CLASS InformationClass, [in, switch_is(InformationClass)] PLSAPR_TRUSTED_DOMAIN_INFO TrustedDomainInformation ); NTSTATUS LsarDeleteTrustedDomain( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_SID TrustedDomainSid ); NTSTATUS LsarStorePrivateData( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_UNICODE_STRING KeyName, [in,unique] PLSAPR_CR_CIPHER_VALUE EncryptedData ); NTSTATUS LsarRetrievePrivateData( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_UNICODE_STRING KeyName, [in, out] PLSAPR_CR_CIPHER_VALUE *EncryptedData ); NTSTATUS LsarOpenPolicy2( [in,unique,string] PLSAPR_SERVER_NAME SystemName, [in] PLSAPR_OBJECT_ATTRIBUTES ObjectAttributes, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE *PolicyHandle ); NTSTATUS LsarGetUserName( [in,unique,string] PLSAPR_SERVER_NAME SystemName, [in,out] PLSAPR_UNICODE_STRING * UserName, [in,out,unique] PLSAPR_UNICODE_STRING * DomainName ); NTSTATUS LsarQueryInformationPolicy2( [in] LSAPR_HANDLE PolicyHandle, [in] POLICY_INFORMATION_CLASS InformationClass, [out, switch_is(InformationClass)] PLSAPR_POLICY_INFORMATION *PolicyInformation ); NTSTATUS LsarSetInformationPolicy2( [in] LSAPR_HANDLE PolicyHandle, [in] POLICY_INFORMATION_CLASS InformationClass, [in, switch_is(InformationClass)] PLSAPR_POLICY_INFORMATION PolicyInformation ); NTSTATUS LsarQueryTrustedDomainInfoByName( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_UNICODE_STRING TrustedDomainName, [in] TRUSTED_INFORMATION_CLASS InformationClass, [out, switch_is(InformationClass)] PLSAPR_TRUSTED_DOMAIN_INFO *TrustedDomainInformation ); NTSTATUS LsarSetTrustedDomainInfoByName( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_UNICODE_STRING TrustedDomainName, [in] TRUSTED_INFORMATION_CLASS InformationClass, [in, switch_is(InformationClass)] PLSAPR_TRUSTED_DOMAIN_INFO TrustedDomainInformation ); NTSTATUS LsarEnumerateTrustedDomainsEx( [in] LSAPR_HANDLE PolicyHandle, [in, out] PLSA_ENUMERATION_HANDLE EnumerationContext, [out] PLSAPR_TRUSTED_ENUM_BUFFER_EX EnumerationBuffer, [in] ULONG PreferedMaximumLength ); NTSTATUS LsarCreateTrustedDomainEx( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_TRUSTED_DOMAIN_INFORMATION_EX TrustedDomainInformation, [in] PLSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION AuthenticationInformation, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE *TrustedDomainHandle ); NTSTATUS LsarSetPolicyReplicationHandle( [in, out] PLSAPR_HANDLE PolicyHandle ); NTSTATUS LsarQueryDomainInformationPolicy( [in] LSAPR_HANDLE PolicyHandle, [in] POLICY_DOMAIN_INFORMATION_CLASS InformationClass, [out, switch_is(InformationClass)] PLSAPR_POLICY_DOMAIN_INFORMATION *PolicyDomainInformation ); NTSTATUS LsarSetDomainInformationPolicy( [in] LSAPR_HANDLE PolicyHandle, [in] POLICY_DOMAIN_INFORMATION_CLASS InformationClass, [in, unique, switch_is(InformationClass)] PLSAPR_POLICY_DOMAIN_INFORMATION PolicyDomainInformation ); NTSTATUS LsarOpenTrustedDomainByName( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_UNICODE_STRING TrustedDomainName, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE *TrustedDomainHandle ); //////////////////////////////////////////////////////////////////////////// // // // BEGIN INTERNAL TEST ROUTINES ONLY - These are used for testing the // // LsaI* APIs. DO NOT EXPORT. They can be moved around at will // // // //////////////////////////////////////////////////////////////////////////// NTSTATUS LsaITestCall( [in] LSAPR_HANDLE PolicyHandle, [in] LSAPR_TEST_INTERNAL_ROUTINES Call, [in] PLSAPR_TEST_INTERNAL_ARG_LIST InputArgs, [out] PLSAPR_TEST_INTERNAL_ARG_LIST *OuputArgs ); //////////////////////////////////////////////////////////////////////////// // // // END INTERNAL TEST ROUTINES ONLY // // // //////////////////////////////////////////////////////////////////////////// NTSTATUS LsarLookupSids2( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_SID_ENUM_BUFFER SidEnumBuffer, [out] PLSAPR_REFERENCED_DOMAIN_LIST *ReferencedDomains, [in, out] PLSAPR_TRANSLATED_NAMES_EX TranslatedNames, [in] LSAP_LOOKUP_LEVEL LookupLevel, [in, out] PULONG MappedCount, [in] ULONG LookupOptions, [in] ULONG ClientRevision ); NTSTATUS LsarLookupNames2( [in] LSAPR_HANDLE PolicyHandle, [in, range(0, LSA_MAXIMUM_LOOKUP_NAMES_COUNT)] ULONG Count, [in, size_is(Count)] PLSAPR_UNICODE_STRING Names, [out] PLSAPR_REFERENCED_DOMAIN_LIST *ReferencedDomains, [in, out] PLSAPR_TRANSLATED_SIDS_EX TranslatedSids, [in] LSAP_LOOKUP_LEVEL LookupLevel, [in, out] PULONG MappedCount, [in] ULONG LookupOptions, [in] ULONG ClientRevision ); NTSTATUS LsarCreateTrustedDomainEx2( [in] LSAPR_HANDLE PolicyHandle, [in] PLSAPR_TRUSTED_DOMAIN_INFORMATION_EX TrustedDomainInformation, [in] PLSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL AuthenticationInformation, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE *TrustedDomainHandle ); // // Credential Management API // NTSTATUS CredrWrite( [in,unique,string] PLSAPR_SERVER_NAME ServerName, [in] PENCRYPTED_CREDENTIALW Credential, [in] ULONG Flags ); NTSTATUS CredrRead( [in,unique,string] PLSAPR_SERVER_NAME ServerName, [in, string] wchar_t * TargetName, [in] ULONG Type, [in] ULONG Flags, [out] PENCRYPTED_CREDENTIALW *Credential ); typedef PENCRYPTED_CREDENTIALW *PPENCRYPTED_CREDENTIALW; typedef struct _CREDENTIAL_ARRAY { ULONG CredentialCount; [unique, size_is(CredentialCount)] PPENCRYPTED_CREDENTIALW Credentials; } CREDENTIAL_ARRAY, *PCREDENTIAL_ARRAY; NTSTATUS CredrEnumerate( [in,unique,string] PLSAPR_SERVER_NAME ServerName, [in, unique, string] wchar_t * Filter, [in] ULONG Flags, [out] PCREDENTIAL_ARRAY CredentialArray ); NTSTATUS CredrWriteDomainCredentials( [in,unique,string] PLSAPR_SERVER_NAME ServerName, [in] PCREDENTIAL_TARGET_INFORMATIONW TargetInfo, [in] PENCRYPTED_CREDENTIALW Credential, [in] ULONG Flags ); NTSTATUS CredrReadDomainCredentials( [in,unique,string] PLSAPR_SERVER_NAME ServerName, [in] PCREDENTIAL_TARGET_INFORMATIONW TargetInfo, [in] ULONG Flags, [out] PCREDENTIAL_ARRAY CredentialArray ); NTSTATUS CredrDelete( [in,unique,string] PLSAPR_SERVER_NAME ServerName, [in, string] wchar_t * TargetName, [in] ULONG Type, [in] ULONG Flags ); NTSTATUS CredrGetTargetInfo( [in,unique,string] PLSAPR_SERVER_NAME ServerName, [in, string] wchar_t * TargetName, [in] ULONG Flags, [out] PCREDENTIAL_TARGET_INFORMATIONW *TargetInfo ); NTSTATUS CredrProfileLoaded( [in,unique,string] PLSAPR_SERVER_NAME ServerName ); // // New lookup API to support returning SIDs // NTSTATUS LsarLookupNames3( [in] LSAPR_HANDLE PolicyHandle, [in, range(0, LSA_MAXIMUM_LOOKUP_NAMES_COUNT)] ULONG Count, [in, size_is(Count)] PLSAPR_UNICODE_STRING Names, [out] PLSAPR_REFERENCED_DOMAIN_LIST *ReferencedDomains, [in, out] PLSAPR_TRANSLATED_SIDS_EX2 TranslatedSids, [in] LSAP_LOOKUP_LEVEL LookupLevel, [in, out] PULONG MappedCount, [in] ULONG LookupOptions, [in] ULONG ClientRevision ); // // Warning: This value must be kept in synch with the same definition // in wincred.w // #define CRED_TYPE_MAXIMUM 5 #define CRED_TYPE_MAXIMUM_EX (CRED_TYPE_MAXIMUM+1000) // Allow new applications to run on old OSes NTSTATUS CredrGetSessionTypes( [in,unique,string] PLSAPR_SERVER_NAME ServerName, [in,range(0, CRED_TYPE_MAXIMUM_EX)] ULONG MaximumPersistCount, [out,size_is(MaximumPersistCount)] ULONG *MaximumPersist ); //////////////////////////////////////////////////////////////////////////// // // Generic Auditing Support // //////////////////////////////////////////////////////////////////////////// NTSTATUS LsarRegisterAuditEvent( [in] PAUTHZ_AUDIT_EVENT_TYPE_OLD pAuditEventType, [out] AUDIT_HANDLE* phAuditContext ); NTSTATUS LsarGenAuditEvent( [in] AUDIT_HANDLE hAuditContext, [in] DWORD Flags, [in] AUDIT_PARAMS* pAuditParams ); NTSTATUS LsarUnregisterAuditEvent( [in,out] AUDIT_HANDLE* phAuditContext ); //////////////////////////////////////////////////////////////////////////// // // End of Generic Auditing Support // //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// // // Forest trust support // //////////////////////////////////////////////////////////////////////////// NTSTATUS LsarQueryForestTrustInformation( [in] LSAPR_HANDLE PolicyHandle, [in] PLSA_UNICODE_STRING TrustedDomainName, [in] LSA_FOREST_TRUST_RECORD_TYPE HighestRecordType, [out] PLSA_FOREST_TRUST_INFORMATION * ForestTrustInfo ); NTSTATUS LsarSetForestTrustInformation( [in] LSAPR_HANDLE PolicyHandle, [in] PLSA_UNICODE_STRING TrustedDomainName, [in] LSA_FOREST_TRUST_RECORD_TYPE HighestRecordType, [in] PLSA_FOREST_TRUST_INFORMATION ForestTrustInfo, [in] BOOLEAN CheckOnly, [out] PLSA_FOREST_TRUST_COLLISION_INFORMATION * CollisionInfo ); //////////////////////////////////////////////////////////////////////////// // // End of forest trust support // //////////////////////////////////////////////////////////////////////////// NTSTATUS CredrRename( [in,unique,string] PLSAPR_SERVER_NAME ServerName, [in, string] wchar_t * OldTargetName, [in, string] wchar_t * NewTargetName, [in] ULONG Type, [in] ULONG Flags ); NTSTATUS LsarLookupSids3( [in] handle_t RpcHandle, [in] PLSAPR_SID_ENUM_BUFFER SidEnumBuffer, [out] PLSAPR_REFERENCED_DOMAIN_LIST *ReferencedDomains, [in, out] PLSAPR_TRANSLATED_NAMES_EX TranslatedNames, [in] LSAP_LOOKUP_LEVEL LookupLevel, [in, out] PULONG MappedCount, [in] ULONG LookupOptions, [in] ULONG ClientRevision ); NTSTATUS LsarLookupNames4( [in] handle_t RpcHandle, [in, range(0, LSA_MAXIMUM_LOOKUP_NAMES_COUNT)] ULONG Count, [in, size_is(Count)] PLSAPR_UNICODE_STRING Names, [out] PLSAPR_REFERENCED_DOMAIN_LIST *ReferencedDomains, [in, out] PLSAPR_TRANSLATED_SIDS_EX2 TranslatedSids, [in] LSAP_LOOKUP_LEVEL LookupLevel, [in, out] PULONG MappedCount, [in] ULONG LookupOptions, [in] ULONG ClientRevision ); //////////////////////////////////////////////////////////////////////////// // // LSA/SCE synchronization support // //////////////////////////////////////////////////////////////////////////// NTSTATUS LsarOpenPolicySce( [in,unique] PLSAPR_SERVER_NAME SystemName, [in] PLSAPR_OBJECT_ATTRIBUTES ObjectAttributes, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE *PolicyHandle ); // // Insert new RPC interfaces before this line, // so LsarForestTrustFindMatch can be re-enabled // in private builds at later times // // #define TESTING_MATCHING_ROUTINE #ifdef TESTING_MATCHING_ROUTINE NTSTATUS LsarForestTrustFindMatch( [in] LSAPR_HANDLE PolicyHandle, [in] ULONG Type, [in] PLSA_UNICODE_STRING Name, [out] PLSA_UNICODE_STRING *Match ); #endif // // Support for Extensible auditing. // typedef struct _LSA_SECURITY_EVENT { DWORD dwFlags; DWORD dwCategoryId; DWORD dwAuditId; PAUDIT_PARAMS pAuditParams; } LSA_SECURITY_EVENT, *PLSA_SECURITY_EVENT; typedef [context_handle] PVOID SECURITY_SOURCE_HANDLE, *PSECURITY_SOURCE_HANDLE; typedef [handle] LPCWSTR PSECURITY_SOURCE_NAME, *PPSECURITY_SOURCE_NAME; NTSTATUS LsarAdtRegisterSecurityEventSource( [in] DWORD dwFlags, [in,unique,string] PSECURITY_SOURCE_NAME szEventSourceName, [out] SECURITY_SOURCE_HANDLE* phSecuritySource ); NTSTATUS LsarAdtUnregisterSecurityEventSource( [in] DWORD dwFlags, [in,out] SECURITY_SOURCE_HANDLE* phSecuritySource ); NTSTATUS LsarAdtReportSecurityEvent( [in] DWORD dwFlags, [in] SECURITY_SOURCE_HANDLE hSource, [in] DWORD dwAuditId, [in] SID* pSid, [in] PAUDIT_PARAMS pParams ); }