Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

3141 lines
98 KiB

/*++ BUILD Version: 0011 // Increment this if a change has global effects
Copyright (c) 1989-1999 Microsoft Corporation
Module Name:
ntlsa.h
Abstract:
This module contains the public data structures and API definitions
needed to utilize Local Security Authority (LSA) services.
Author:
Jim Kelly (JimK) 21-February-1991
Revision History:
--*/
#ifndef _NTLSA_
#define _NTLSA_
#if _MSC_VER > 1000
#pragma once
#endif
#ifdef __cplusplus
extern "C" {
#endif
//
// Generic negative values for unknown IDs, inapplicable indices etc.
//
#define LSA_UNKNOWN_ID ((ULONG) 0xFFFFFFFFL)
#define LSA_UNKNOWN_INDEX ((LONG) -1)
// begin_ntsecapi
#ifndef _NTLSA_IFS_
// begin_ntifs
//
// Security operation mode of the system is held in a control
// longword.
//
typedef ULONG LSA_OPERATIONAL_MODE, *PLSA_OPERATIONAL_MODE;
// end_ntifs
#endif // _NTLSA_IFS_
//
// The flags in the security operational mode are defined
// as:
//
// PasswordProtected - Some level of authentication (such as
// a password) must be provided by users before they are
// allowed to use the system. Once set, this value will
// not be cleared without re-booting the system.
//
// IndividualAccounts - Each user must identify an account to
// logon to. This flag is only meaningful if the
// PasswordProtected flag is also set. If this flag is
// not set and the PasswordProtected flag is set, then all
// users may logon to the same account. Once set, this value
// will not be cleared without re-booting the system.
//
// MandatoryAccess - Indicates the system is running in a mandatory
// access control mode (e.g., B-level as defined by the U.S.A's
// Department of Defense's "Orange Book"). This is not utilized
// in the current release of NT. This flag is only meaningful
// if both the PasswordProtected and IndividualAccounts flags are
// set. Once set, this value will not be cleared without
// re-booting the system.
//
// LogFull - Indicates the system has been brought up in a mode in
// which if must perform security auditing, but its audit log
// is full. This may (should) restrict the operations that
// can occur until the audit log is made not-full again. THIS
// VALUE MAY BE CLEARED WHILE THE SYSTEM IS RUNNING (I.E., WITHOUT
// REBOOTING).
//
// If the PasswordProtected flag is not set, then the system is running
// without security, and user interface should be adjusted appropriately.
//
#define LSA_MODE_PASSWORD_PROTECTED (0x00000001L)
#define LSA_MODE_INDIVIDUAL_ACCOUNTS (0x00000002L)
#define LSA_MODE_MANDATORY_ACCESS (0x00000004L)
#define LSA_MODE_LOG_FULL (0x00000008L)
// end_ntsecapi
/////////////////////////////////////////////////////////////////////////
// //
// Widely used LSA defines //
// //
/////////////////////////////////////////////////////////////////////////
//
// Defines for Count Limits on LSA API
//
#define LSA_MAXIMUM_SID_COUNT (0x00000100L)
#define LSA_MAXIMUM_ENUMERATION_LENGTH (32000)
//
// Flag OR'ed into AuthenticationPackage parameter of LsaLogonUser to
// request that the license server be called upon successful logon.
//
#define LSA_CALL_LICENSE_SERVER 0x80000000
/////////////////////////////////////////////////////////////////////////
// //
// Data types used by logon processes //
// //
/////////////////////////////////////////////////////////////////////////
// begin_ntsecapi
#ifndef _NTLSA_IFS_
// begin_ntifs
//
// Used by a logon process to indicate what type of logon is being
// requested.
//
typedef enum _SECURITY_LOGON_TYPE {
Interactive = 2, // Interactively logged on (locally or remotely)
Network, // Accessing system via network
Batch, // Started via a batch queue
Service, // Service started by service controller
Proxy, // Proxy logon
Unlock, // Unlock workstation
NetworkCleartext, // Network logon with cleartext credentials
NewCredentials, // Clone caller, new default credentials
RemoteInteractive, // Remote, yet interactive. Terminal server
CachedInteractive, // Try cached credentials without hitting the net.
CachedRemoteInteractive, // Same as RemoteInteractive, this is used internally for auditing purpose
CachedUnlock // Cached Unlock workstation
} SECURITY_LOGON_TYPE, *PSECURITY_LOGON_TYPE;
// end_ntifs
#endif // _NTLSA_IFS_
// end_ntsecapi
//
// Security System Access Flags. These correspond to the enumerated
// type values in SECURITY_LOGON_TYPE.
//
// IF YOU ADD A NEW LOGON TYPE HERE, ALSO ADD IT TO THE POLICY_MODE_xxx
// data definitions.
//
#define SECURITY_ACCESS_INTERACTIVE_LOGON ((ULONG) 0x00000001L)
#define SECURITY_ACCESS_NETWORK_LOGON ((ULONG) 0x00000002L)
#define SECURITY_ACCESS_BATCH_LOGON ((ULONG) 0x00000004L)
#define SECURITY_ACCESS_SERVICE_LOGON ((ULONG) 0x00000010L)
#define SECURITY_ACCESS_PROXY_LOGON ((ULONG) 0x00000020L)
#define SECURITY_ACCESS_DENY_INTERACTIVE_LOGON ((ULONG) 0x00000040L)
#define SECURITY_ACCESS_DENY_NETWORK_LOGON ((ULONG) 0x00000080L)
#define SECURITY_ACCESS_DENY_BATCH_LOGON ((ULONG) 0x00000100L)
#define SECURITY_ACCESS_DENY_SERVICE_LOGON ((ULONG) 0x00000200L)
#define SECURITY_ACCESS_REMOTE_INTERACTIVE_LOGON ((ULONG) 0x00000400L)
#define SECURITY_ACCESS_DENY_REMOTE_INTERACTIVE_LOGON ((ULONG) 0x00000800L)
/////////////////////////////////////////////////////////////////////////
// //
// Data types related to Auditing //
// //
/////////////////////////////////////////////////////////////////////////
//
// The following enumerated type is used between the reference monitor and
// LSA in the generation of audit messages. It is used to indicate the
// type of data being passed as a parameter from the reference monitor
// to LSA. LSA is responsible for transforming the specified data type
// into a set of unicode strings that are added to the event record in
// the audit log.
//
typedef enum _SE_ADT_PARAMETER_TYPE {
SeAdtParmTypeNone = 0, //Produces 1 parameter
//Received value:
//
// None.
//
//Results in:
//
// a unicode string containing "-".
//
//Note: This is typically used to
// indicate that a parameter value
// was not available.
//
SeAdtParmTypeString, //Produces 1 parameter.
//Received Value:
//
// Unicode String (variable length)
//
//Results in:
//
// No transformation. The string
// entered into the event record as
// received.
//
// The Address value of the audit info
// should be a pointer to a UNICODE_STRING
// structure.
SeAdtParmTypeFileSpec, //Produces 1 parameter.
//Received value:
//
// Unicode string containing a file or
// directory name.
//
//Results in:
//
// Unicode string with the prefix of the
// file's path replaced by a drive letter
// if possible.
//
SeAdtParmTypeUlong, //Produces 1 parameter
//Received value:
//
// Ulong
//
//Results in:
//
// Unicode string representation of
// unsigned integer value.
SeAdtParmTypeSid, //Produces 1 parameter.
//Received value:
//
// SID (variable length)
//
//Results in:
//
// String representation of SID
//
SeAdtParmTypeLogonId, //Produces 3 parameters.
//Received Value:
//
// LUID (fixed length)
//
//Results in:
//
// param 1: Username string
// param 2: domain name string
// param 3: Logon ID (Luid) string
SeAdtParmTypeNoLogonId, //Produces 3 parameters.
//Received value:
//
// None.
//
//Results in:
//
// param 1: "-"
// param 2: "-"
// param 3: "-"
//
//Note:
//
// This type is used when a logon ID
// is needed, but one is not available
// to pass. For example, if an
// impersonation logon ID is expected
// but the subject is not impersonating
// anyone.
//
SeAdtParmTypeAccessMask, //Produces 1 parameter with formatting.
//Received value:
//
// ACCESS_MASK followed by
// a Unicode string. The unicode
// string contains the name of the
// type of object the access mask
// applies to. The event's source
// further qualifies the object type.
//
//Results in:
//
// formatted unicode string built to
// take advantage of the specified
// source's parameter message file.
//
//Note:
//
// An access mask containing three
// access types for a Widget object
// type (defined by the Foozle source)
// might end up looking like:
//
// %%1062\n\t\t%1066\n\t\t%%601
//
// The %%numbers are signals to the
// event viewer to perform parameter
// substitution before display.
//
SeAdtParmTypePrivs, //Produces 1 parameter with formatting.
//Received value:
//
// ??? Check with RobertRe and ScottBi
//
//Results in:
//
// formatted unicode string similar to
// that for access types. Each priv
// will be formatted to be displayed
// on its own line. E.g.,
//
// %%642\n\t\t%%651\n\t\t%%655
//
SeAdtParmTypeObjectTypes, //Produces 10 parameters with formatting.
//Received value:
//
// Produces a list a stringized GUIDS along
// with information similar to that for
// an access mask.
SeAdtParmTypeHexUlong, //Produces 1 parameter
//Received value:
//
// Ulong
//
//Results in:
//
// Unicode string representation of
// unsigned integer value in hexadecimal.
SeAdtParmTypePtr, //Produces 1 parameter
//Received value:
//
// pointer
//
//Results in:
//
// Unicode string representation of
// unsigned integer value in hexadecimal.
SeAdtParmTypeTime, //Produces 2 parameters
//Received value:
//
// LARGE_INTEGER
//
//Results in:
//
// Unicode string representation of
// date and time.
//
SeAdtParmTypeGuid, //Produces 1 parameter
//Received value:
//
// GUID pointer
//
//Results in:
//
// Unicode string representation of GUID
// {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
//
SeAdtParmTypeLuid, //
//Produces 1 parameter
//Received value:
//
// LUID
//
//Results in:
//
// Hex LUID
//
SeAdtParmTypeHexInt64, //Produces 1 parameter
//Received value:
//
// 64 bit integer
//
//Results in:
//
// Unicode string representation of
// unsigned integer value in hexadecimal.
SeAdtParmTypeStringList, //Produces 1 parameter
//Received value:
//
// ptr to LSAP_ADT_STRING_LIST
//
//Results in:
//
// Unicode string representation of
// concatenation of the strings in the list
SeAdtParmTypeSidList, //Produces 1 parameter
//Received value:
//
// ptr to LSAP_ADT_SID_LIST
//
//Results in:
//
// Unicode string representation of
// concatenation of the SIDs in the list
SeAdtParmTypeDuration, //Produces 1 parameters
//Received value:
//
// LARGE_INTEGER
//
//Results in:
//
// Unicode string representation of
// a duration.
SeAdtParmTypeUserAccountControl,//Produces 3 parameters
//Received value:
//
// old and new UserAccountControl values
//
//Results in:
//
// Unicode string representations of
// the flags in UserAccountControl.
// 1 - old value in hex
// 2 - new value in hex
// 3 - difference as strings
SeAdtParmTypeNoUac, //Produces 3 parameters
//Received value:
//
// none
//
//Results in:
//
// Three dashes ('-') as unicode strings.
SeAdtParmTypeMessage, //Produces 1 Parameter
//Received value:
//
// ULONG (MessageNo from msobjs.mc)
//
//Results in:
//
// Unicode string representation of
// %%MessageNo which the event viewer
// will replace with the message string
// from msobjs.mc
SeAdtParmTypeDateTime, //Produces 1 Parameter
//Received value:
//
// LARGE_INTEGER
//
//Results in:
//
// Unicode string representation of
// date and time (in _one_ string).
SeAdtParmTypeSockAddr // Produces 2 parameters
//
// Received value:
//
// pointer to SOCKADDR_IN/SOCKADDR_IN6
// structure
//
// Results in:
//
// param 1: IP address string
// param 2: Port number string
//
} SE_ADT_PARAMETER_TYPE, *PSE_ADT_PARAMETER_TYPE;
#ifndef GUID_DEFINED
#include <guiddef.h>
#endif /* GUID_DEFINED */
typedef struct _SE_ADT_OBJECT_TYPE {
GUID ObjectType;
USHORT Flags;
#define SE_ADT_OBJECT_ONLY 0x1
USHORT Level;
ACCESS_MASK AccessMask;
} SE_ADT_OBJECT_TYPE, *PSE_ADT_OBJECT_TYPE;
typedef struct _SE_ADT_PARAMETER_ARRAY_ENTRY {
SE_ADT_PARAMETER_TYPE Type;
ULONG Length;
ULONG_PTR Data[2];
PVOID Address;
} SE_ADT_PARAMETER_ARRAY_ENTRY, *PSE_ADT_PARAMETER_ARRAY_ENTRY;
//
// Structure that will be passed between the Reference Monitor and LSA
// to transmit auditing information.
//
#define SE_MAX_AUDIT_PARAMETERS 32
typedef struct _SE_ADT_PARAMETER_ARRAY {
ULONG CategoryId;
ULONG AuditId;
ULONG ParameterCount;
ULONG Length;
USHORT Type;
ULONG Flags;
SE_ADT_PARAMETER_ARRAY_ENTRY Parameters[ SE_MAX_AUDIT_PARAMETERS ];
} SE_ADT_PARAMETER_ARRAY, *PSE_ADT_PARAMETER_ARRAY;
#define SE_ADT_PARAMETERS_SELF_RELATIVE 0x00000001
///////////////////////////////////////////////////////////////////////////
// //
// Structures describing the complex param type SeAdtParmTypeStringList //
// //
///////////////////////////////////////////////////////////////////////////
typedef struct _LSA_ADT_STRING_LIST_ENTRY
{
ULONG Flags;
UNICODE_STRING String;
}
LSA_ADT_STRING_LIST_ENTRY, *PLSA_ADT_STRING_LIST_ENTRY;
typedef struct _LSA_ADT_STRING_LIST
{
ULONG cStrings;
PLSA_ADT_STRING_LIST_ENTRY Strings;
}
LSA_ADT_STRING_LIST, *PLSA_ADT_STRING_LIST;
///////////////////////////////////////////////////////////////////////////
// //
// Structures describing the complex param type SeAdtParmTypeSidList //
// //
///////////////////////////////////////////////////////////////////////////
typedef struct _LSA_ADT_SID_LIST_ENTRY
{
ULONG Flags;
PSID Sid;
}
LSA_ADT_SID_LIST_ENTRY, *PLSA_ADT_SID_LIST_ENTRY;
typedef struct _LSA_ADT_SID_LIST
{
ULONG cSids;
PLSA_ADT_SID_LIST_ENTRY Sids;
}
LSA_ADT_SID_LIST, *PLSA_ADT_SID_LIST;
// begin_ntsecapi
//
// Audit Event Categories
//
// The following are the built-in types or Categories of audit event.
// WARNING! This structure is subject to expansion. The user should not
// compute the number of elements of this type directly, but instead
// should obtain the count of elements by calling LsaQueryInformationPolicy()
// for the PolicyAuditEventsInformation class and extracting the count from
// the MaximumAuditEventCount field of the returned structure.
//
typedef enum _POLICY_AUDIT_EVENT_TYPE {
AuditCategorySystem,
AuditCategoryLogon,
AuditCategoryObjectAccess,
AuditCategoryPrivilegeUse,
AuditCategoryDetailedTracking,
AuditCategoryPolicyChange,
AuditCategoryAccountManagement,
AuditCategoryDirectoryServiceAccess,
AuditCategoryAccountLogon
} POLICY_AUDIT_EVENT_TYPE, *PPOLICY_AUDIT_EVENT_TYPE;
//
// The following defines describe the auditing options for each
// event type
//
// Leave options specified for this event unchanged
#define POLICY_AUDIT_EVENT_UNCHANGED (0x00000000L)
// Audit successful occurrences of events of this type
#define POLICY_AUDIT_EVENT_SUCCESS (0x00000001L)
// Audit failed attempts to cause an event of this type to occur
#define POLICY_AUDIT_EVENT_FAILURE (0x00000002L)
#define POLICY_AUDIT_EVENT_NONE (0x00000004L)
// Mask of valid event auditing options
#define POLICY_AUDIT_EVENT_MASK \
(POLICY_AUDIT_EVENT_SUCCESS | \
POLICY_AUDIT_EVENT_FAILURE | \
POLICY_AUDIT_EVENT_UNCHANGED | \
POLICY_AUDIT_EVENT_NONE)
#ifdef _NTDEF_
// begin_ntifs
typedef UNICODE_STRING LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
typedef STRING LSA_STRING, *PLSA_STRING;
typedef OBJECT_ATTRIBUTES LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
// end_ntifs
#else // _NTDEF_
#ifndef IN
#define IN
#endif
#ifndef OUT
#define OUT
#endif
#ifndef OPTIONAL
#define OPTIONAL
#endif
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
#ifdef MIDL_PASS
[size_is(MaximumLength/2), length_is(Length/2)]
#endif // MIDL_PASS
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
typedef struct _LSA_STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} LSA_STRING, *PLSA_STRING;
typedef struct _LSA_OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PLSA_UNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
} LSA_OBJECT_ATTRIBUTES, *PLSA_OBJECT_ATTRIBUTES;
#endif // _NTDEF_
// end_ntsecapi
// begin_ntsecapi
//
// Macro for determining whether an API succeeded.
//
#define LSA_SUCCESS(Error) ((LONG)(Error) >= 0)
// end_ntsecapi
/////////////////////////////////////////////////////////////////////////
// //
// Services provided for use by logon processes //
// //
/////////////////////////////////////////////////////////////////////////
// begin_ntsecapi
#ifndef _NTLSA_IFS_
// begin_ntifs
NTSTATUS
NTAPI
LsaRegisterLogonProcess (
IN PLSA_STRING LogonProcessName,
OUT PHANDLE LsaHandle,
OUT PLSA_OPERATIONAL_MODE SecurityMode
);
NTSTATUS
NTAPI
LsaLogonUser (
IN HANDLE LsaHandle,
IN PLSA_STRING OriginName,
IN SECURITY_LOGON_TYPE LogonType,
IN ULONG AuthenticationPackage,
IN PVOID AuthenticationInformation,
IN ULONG AuthenticationInformationLength,
IN PTOKEN_GROUPS LocalGroups OPTIONAL,
IN PTOKEN_SOURCE SourceContext,
OUT PVOID *ProfileBuffer,
OUT PULONG ProfileBufferLength,
OUT PLUID LogonId,
OUT PHANDLE Token,
OUT PQUOTA_LIMITS Quotas,
OUT PNTSTATUS SubStatus
);
// end_ntifs
NTSTATUS
NTAPI
LsaLookupAuthenticationPackage (
IN HANDLE LsaHandle,
IN PLSA_STRING PackageName,
OUT PULONG AuthenticationPackage
);
// begin_ntifs
NTSTATUS
NTAPI
LsaFreeReturnBuffer (
IN PVOID Buffer
);
// end_ntifs
NTSTATUS
NTAPI
LsaCallAuthenticationPackage (
IN HANDLE LsaHandle,
IN ULONG AuthenticationPackage,
IN PVOID ProtocolSubmitBuffer,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
);
NTSTATUS
NTAPI
LsaDeregisterLogonProcess (
IN HANDLE LsaHandle
);
NTSTATUS
NTAPI
LsaConnectUntrusted (
OUT PHANDLE LsaHandle
);
#endif // _NTLSA_IFS_
// end_ntsecapi
// begin_ntsecpkg
/////////////////////////////////////////////////////////////////////////
// //
// Data types used by authentication packages //
// //
/////////////////////////////////////////////////////////////////////////
//
// opaque data type which represents a client request
//
typedef PVOID *PLSA_CLIENT_REQUEST;
//
// When a logon of a user is requested, the authentication package
// is expected to return one of the following structures indicating
// the contents of a user's token.
//
typedef enum _LSA_TOKEN_INFORMATION_TYPE {
LsaTokenInformationNull, // Implies LSA_TOKEN_INFORMATION_NULL data type
LsaTokenInformationV1, // Implies LSA_TOKEN_INFORMATION_V1 data type
LsaTokenInformationV2 // Implies LSA_TOKEN_INFORMATION_V2 data type
} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;
//
// The NULL information is used in cases where a non-authenticated
// system access is needed. For example, a non-authentication network
// circuit (such as LAN Manager's null session) can be given NULL
// information. This will result in an anonymous token being generated
// for the logon that gives the user no ability to access protected system
// resources, but does allow access to non-protected system resources.
//
typedef struct _LSA_TOKEN_INFORMATION_NULL {
//
// Time at which the security context becomes invalid.
// Use a value in the distant future if the context
// never expires.
//
LARGE_INTEGER ExpirationTime;
//
// The SID(s) of groups the user is to be made a member of. This should
// not include WORLD or other system defined and assigned
// SIDs. These will be added automatically by LSA.
//
// Each SID is expected to be in a separately allocated block
// of memory. The TOKEN_GROUPS structure is also expected to
// be in a separately allocated block of memory.
//
PTOKEN_GROUPS Groups;
} LSA_TOKEN_INFORMATION_NULL, *PLSA_TOKEN_INFORMATION_NULL;
//
// The V1 token information structure is superceeded by the V2 token
// information structure. The V1 strucure should only be used for
// backwards compatability.
// This structure contains information that an authentication package
// can place in a Version 1 NT token object.
//
typedef struct _LSA_TOKEN_INFORMATION_V1 {
//
// Time at which the security context becomes invalid.
// Use a value in the distant future if the context
// never expires.
//
LARGE_INTEGER ExpirationTime;
//
// The SID of the user logging on. The SID value is in a
// separately allocated block of memory.
//
TOKEN_USER User;
//
// The SID(s) of groups the user is a member of. This should
// not include WORLD or other system defined and assigned
// SIDs. These will be added automatically by LSA.
//
// Each SID is expected to be in a separately allocated block
// of memory. The TOKEN_GROUPS structure is also expected to
// be in a separately allocated block of memory.
//
PTOKEN_GROUPS Groups;
//
// This field is used to establish the primary group of the user.
// This value does not have to correspond to one of the SIDs
// assigned to the user.
//
// The SID pointed to by this structure is expected to be in
// a separately allocated block of memory.
//
// This field is mandatory and must be filled in.
//
TOKEN_PRIMARY_GROUP PrimaryGroup;
//
// The privileges the user is assigned. This list of privileges
// will be augmented or over-ridden by any local security policy
// assigned privileges.
//
// Each privilege is expected to be in a separately allocated
// block of memory. The TOKEN_PRIVILEGES structure is also
// expected to be in a separately allocated block of memory.
//
// If there are no privileges to assign to the user, this field
// may be set to NULL.
//
PTOKEN_PRIVILEGES Privileges;
//
// This field may be used to establish an explicit default
// owner. Normally, the user ID is used as the default owner.
// If another value is desired, it must be specified here.
//
// The Owner.Sid field may be set to NULL to indicate there is no
// alternate default owner value.
//
TOKEN_OWNER Owner;
//
// This field may be used to establish a default
// protection for the user. If no value is provided, then
// a default protection that grants everyone all access will
// be established.
//
// The DefaultDacl.DefaultDacl field may be set to NULL to indicate
// there is no default protection.
//
TOKEN_DEFAULT_DACL DefaultDacl;
} LSA_TOKEN_INFORMATION_V1, *PLSA_TOKEN_INFORMATION_V1;
//
// The V2 information is used in most cases of logon. The structure is identical
// to the V1 token information structure, with the exception that the memory allocation
// is handled differently. The LSA_TOKEN_INFORMATION_V2 structure is intended to be
// allocated monolithiclly, with the privileges, DACL, sids, and group array either part of
// same allocation, or allocated and freed externally.
//
typedef LSA_TOKEN_INFORMATION_V1 LSA_TOKEN_INFORMATION_V2, *PLSA_TOKEN_INFORMATION_V2;
/////////////////////////////////////////////////////////////////////////
// //
// Interface definitions available for use by authentication packages //
// //
/////////////////////////////////////////////////////////////////////////
typedef NTSTATUS
(NTAPI LSA_CREATE_LOGON_SESSION) (
IN PLUID LogonId
);
typedef NTSTATUS
(NTAPI LSA_DELETE_LOGON_SESSION) (
IN PLUID LogonId
);
typedef NTSTATUS
(NTAPI LSA_ADD_CREDENTIAL) (
IN PLUID LogonId,
IN ULONG AuthenticationPackage,
IN PLSA_STRING PrimaryKeyValue,
IN PLSA_STRING Credentials
);
typedef NTSTATUS
(NTAPI LSA_GET_CREDENTIALS) (
IN PLUID LogonId,
IN ULONG AuthenticationPackage,
IN OUT PULONG QueryContext,
IN BOOLEAN RetrieveAllCredentials,
IN PLSA_STRING PrimaryKeyValue,
OUT PULONG PrimaryKeyLength,
IN PLSA_STRING Credentials
);
typedef NTSTATUS
(NTAPI LSA_DELETE_CREDENTIAL) (
IN PLUID LogonId,
IN ULONG AuthenticationPackage,
IN PLSA_STRING PrimaryKeyValue
);
typedef PVOID
(NTAPI LSA_ALLOCATE_LSA_HEAP) (
IN ULONG Length
);
typedef VOID
(NTAPI LSA_FREE_LSA_HEAP) (
IN PVOID Base
);
typedef PVOID
(NTAPI LSA_ALLOCATE_PRIVATE_HEAP) (
IN SIZE_T Length
);
typedef VOID
(NTAPI LSA_FREE_PRIVATE_HEAP) (
IN PVOID Base
);
typedef NTSTATUS
(NTAPI LSA_ALLOCATE_CLIENT_BUFFER) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN ULONG LengthRequired,
OUT PVOID *ClientBaseAddress
);
typedef NTSTATUS
(NTAPI LSA_FREE_CLIENT_BUFFER) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN PVOID ClientBaseAddress
);
typedef NTSTATUS
(NTAPI LSA_COPY_TO_CLIENT_BUFFER) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN ULONG Length,
IN PVOID ClientBaseAddress,
IN PVOID BufferToCopy
);
typedef NTSTATUS
(NTAPI LSA_COPY_FROM_CLIENT_BUFFER) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN ULONG Length,
IN PVOID BufferToCopy,
IN PVOID ClientBaseAddress
);
typedef LSA_CREATE_LOGON_SESSION * PLSA_CREATE_LOGON_SESSION ;
typedef LSA_DELETE_LOGON_SESSION * PLSA_DELETE_LOGON_SESSION ;
typedef LSA_ADD_CREDENTIAL * PLSA_ADD_CREDENTIAL ;
typedef LSA_GET_CREDENTIALS * PLSA_GET_CREDENTIALS ;
typedef LSA_DELETE_CREDENTIAL * PLSA_DELETE_CREDENTIAL ;
typedef LSA_ALLOCATE_LSA_HEAP * PLSA_ALLOCATE_LSA_HEAP ;
typedef LSA_FREE_LSA_HEAP * PLSA_FREE_LSA_HEAP ;
typedef LSA_ALLOCATE_PRIVATE_HEAP * PLSA_ALLOCATE_PRIVATE_HEAP ;
typedef LSA_FREE_PRIVATE_HEAP * PLSA_FREE_PRIVATE_HEAP ;
typedef LSA_ALLOCATE_CLIENT_BUFFER * PLSA_ALLOCATE_CLIENT_BUFFER ;
typedef LSA_FREE_CLIENT_BUFFER * PLSA_FREE_CLIENT_BUFFER ;
typedef LSA_COPY_TO_CLIENT_BUFFER * PLSA_COPY_TO_CLIENT_BUFFER ;
typedef LSA_COPY_FROM_CLIENT_BUFFER * PLSA_COPY_FROM_CLIENT_BUFFER ;
//
// The dispatch table of LSA services which are available to
// authentication packages.
//
typedef struct _LSA_DISPATCH_TABLE {
PLSA_CREATE_LOGON_SESSION CreateLogonSession;
PLSA_DELETE_LOGON_SESSION DeleteLogonSession;
PLSA_ADD_CREDENTIAL AddCredential;
PLSA_GET_CREDENTIALS GetCredentials;
PLSA_DELETE_CREDENTIAL DeleteCredential;
PLSA_ALLOCATE_LSA_HEAP AllocateLsaHeap;
PLSA_FREE_LSA_HEAP FreeLsaHeap;
PLSA_ALLOCATE_CLIENT_BUFFER AllocateClientBuffer;
PLSA_FREE_CLIENT_BUFFER FreeClientBuffer;
PLSA_COPY_TO_CLIENT_BUFFER CopyToClientBuffer;
PLSA_COPY_FROM_CLIENT_BUFFER CopyFromClientBuffer;
} LSA_DISPATCH_TABLE, *PLSA_DISPATCH_TABLE;
////////////////////////////////////////////////////////////////////////////
// //
// Interface definitions of services provided by authentication packages //
// //
////////////////////////////////////////////////////////////////////////////
//
// Routine names
//
// The routines provided by the DLL must be assigned the following names
// so that their addresses can be retrieved when the DLL is loaded.
//
#define LSA_AP_NAME_INITIALIZE_PACKAGE "LsaApInitializePackage\0"
#define LSA_AP_NAME_LOGON_USER "LsaApLogonUser\0"
#define LSA_AP_NAME_LOGON_USER_EX "LsaApLogonUserEx\0"
#define LSA_AP_NAME_CALL_PACKAGE "LsaApCallPackage\0"
#define LSA_AP_NAME_LOGON_TERMINATED "LsaApLogonTerminated\0"
#define LSA_AP_NAME_CALL_PACKAGE_UNTRUSTED "LsaApCallPackageUntrusted\0"
#define LSA_AP_NAME_CALL_PACKAGE_PASSTHROUGH "LsaApCallPackagePassthrough\0"
//
// Routine templates
//
typedef NTSTATUS
(NTAPI LSA_AP_INITIALIZE_PACKAGE) (
IN ULONG AuthenticationPackageId,
IN PLSA_DISPATCH_TABLE LsaDispatchTable,
IN PLSA_STRING Database OPTIONAL,
IN PLSA_STRING Confidentiality OPTIONAL,
OUT PLSA_STRING *AuthenticationPackageName
);
typedef NTSTATUS
(NTAPI LSA_AP_LOGON_USER) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN SECURITY_LOGON_TYPE LogonType,
IN PVOID AuthenticationInformation,
IN PVOID ClientAuthenticationBase,
IN ULONG AuthenticationInformationLength,
OUT PVOID *ProfileBuffer,
OUT PULONG ProfileBufferLength,
OUT PLUID LogonId,
OUT PNTSTATUS SubStatus,
OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
OUT PVOID *TokenInformation,
OUT PLSA_UNICODE_STRING *AccountName,
OUT PLSA_UNICODE_STRING *AuthenticatingAuthority
);
typedef NTSTATUS
(NTAPI LSA_AP_LOGON_USER_EX) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN SECURITY_LOGON_TYPE LogonType,
IN PVOID AuthenticationInformation,
IN PVOID ClientAuthenticationBase,
IN ULONG AuthenticationInformationLength,
OUT PVOID *ProfileBuffer,
OUT PULONG ProfileBufferLength,
OUT PLUID LogonId,
OUT PNTSTATUS SubStatus,
OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType,
OUT PVOID *TokenInformation,
OUT PUNICODE_STRING *AccountName,
OUT PUNICODE_STRING *AuthenticatingAuthority,
OUT PUNICODE_STRING *MachineName
);
typedef NTSTATUS
(NTAPI LSA_AP_CALL_PACKAGE) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN PVOID ProtocolSubmitBuffer,
IN PVOID ClientBufferBase,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
);
typedef NTSTATUS
(NTAPI LSA_AP_CALL_PACKAGE_PASSTHROUGH) (
IN PLSA_CLIENT_REQUEST ClientRequest,
IN PVOID ProtocolSubmitBuffer,
IN PVOID ClientBufferBase,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
);
typedef VOID
(NTAPI LSA_AP_LOGON_TERMINATED) (
IN PLUID LogonId
);
typedef LSA_AP_CALL_PACKAGE LSA_AP_CALL_PACKAGE_UNTRUSTED;
typedef LSA_AP_INITIALIZE_PACKAGE * PLSA_AP_INITIALIZE_PACKAGE ;
typedef LSA_AP_LOGON_USER * PLSA_AP_LOGON_USER ;
typedef LSA_AP_LOGON_USER_EX * PLSA_AP_LOGON_USER_EX ;
typedef LSA_AP_CALL_PACKAGE * PLSA_AP_CALL_PACKAGE ;
typedef LSA_AP_CALL_PACKAGE_PASSTHROUGH * PLSA_AP_CALL_PACKAGE_PASSTHROUGH ;
typedef LSA_AP_LOGON_TERMINATED * PLSA_AP_LOGON_TERMINATED ;
typedef LSA_AP_CALL_PACKAGE_UNTRUSTED * PLSA_AP_CALL_PACKAGE_UNTRUSTED ;
// end_ntsecpkg
// begin_ntsecapi
////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy Administration API datatypes and defines //
// //
////////////////////////////////////////////////////////////////////////////
//
// Access types for the Policy object
//
#define POLICY_VIEW_LOCAL_INFORMATION 0x00000001L
#define POLICY_VIEW_AUDIT_INFORMATION 0x00000002L
#define POLICY_GET_PRIVATE_INFORMATION 0x00000004L
#define POLICY_TRUST_ADMIN 0x00000008L
#define POLICY_CREATE_ACCOUNT 0x00000010L
#define POLICY_CREATE_SECRET 0x00000020L
#define POLICY_CREATE_PRIVILEGE 0x00000040L
#define POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080L
#define POLICY_SET_AUDIT_REQUIREMENTS 0x00000100L
#define POLICY_AUDIT_LOG_ADMIN 0x00000200L
#define POLICY_SERVER_ADMIN 0x00000400L
#define POLICY_LOOKUP_NAMES 0x00000800L
#define POLICY_NOTIFICATION 0x00001000L
#define POLICY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
POLICY_VIEW_LOCAL_INFORMATION |\
POLICY_VIEW_AUDIT_INFORMATION |\
POLICY_GET_PRIVATE_INFORMATION |\
POLICY_TRUST_ADMIN |\
POLICY_CREATE_ACCOUNT |\
POLICY_CREATE_SECRET |\
POLICY_CREATE_PRIVILEGE |\
POLICY_SET_DEFAULT_QUOTA_LIMITS |\
POLICY_SET_AUDIT_REQUIREMENTS |\
POLICY_AUDIT_LOG_ADMIN |\
POLICY_SERVER_ADMIN |\
POLICY_LOOKUP_NAMES)
#define POLICY_READ (STANDARD_RIGHTS_READ |\
POLICY_VIEW_AUDIT_INFORMATION |\
POLICY_GET_PRIVATE_INFORMATION)
#define POLICY_WRITE (STANDARD_RIGHTS_WRITE |\
POLICY_TRUST_ADMIN |\
POLICY_CREATE_ACCOUNT |\
POLICY_CREATE_SECRET |\
POLICY_CREATE_PRIVILEGE |\
POLICY_SET_DEFAULT_QUOTA_LIMITS |\
POLICY_SET_AUDIT_REQUIREMENTS |\
POLICY_AUDIT_LOG_ADMIN |\
POLICY_SERVER_ADMIN)
#define POLICY_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
POLICY_VIEW_LOCAL_INFORMATION |\
POLICY_LOOKUP_NAMES)
//
// Policy object specific data types.
//
//
// The following data type is used to identify a domain
//
typedef struct _LSA_TRUST_INFORMATION {
LSA_UNICODE_STRING Name;
PSID Sid;
} LSA_TRUST_INFORMATION, *PLSA_TRUST_INFORMATION;
// where members have the following usage:
//
// Name - The name of the domain.
//
// Sid - A pointer to the Sid of the Domain
//
//
// The following data type is used in name and SID lookup services to
// describe the domains referenced in the lookup operation.
//
typedef struct _LSA_REFERENCED_DOMAIN_LIST {
ULONG Entries;
PLSA_TRUST_INFORMATION Domains;
} LSA_REFERENCED_DOMAIN_LIST, *PLSA_REFERENCED_DOMAIN_LIST;
// where members have the following usage:
//
// Entries - Is a count of the number of domains described in the
// Domains array.
//
// Domains - Is a pointer to an array of Entries LSA_TRUST_INFORMATION data
// structures.
//
//
// The following data type is used in name to SID lookup services to describe
// the domains referenced in the lookup operation.
//
typedef struct _LSA_TRANSLATED_SID {
SID_NAME_USE Use;
ULONG RelativeId;
LONG DomainIndex;
} LSA_TRANSLATED_SID, *PLSA_TRANSLATED_SID;
// where members have the following usage:
//
// Use - identifies the use of the SID. If this value is SidUnknown or
// SidInvalid, then the remainder of the record is not set and
// should be ignored.
//
// RelativeId - Contains the relative ID of the translated SID. The
// remainder of the SID (the prefix) is obtained using the
// DomainIndex field.
//
// DomainIndex - Is the index of an entry in a related
// LSA_REFERENCED_DOMAIN_LIST data structure describing the
// domain in which the account was found.
//
// If there is no corresponding reference domain for an entry, then
// this field will contain a negative value.
//
typedef struct _LSA_TRANSLATED_SID2 {
SID_NAME_USE Use;
PSID Sid;
LONG DomainIndex;
ULONG Flags;
} LSA_TRANSLATED_SID2, *PLSA_TRANSLATED_SID2;
// where members have the following usage:
//
// Use - identifies the use of the SID. If this value is SidUnknown or
// SidInvalid, then the remainder of the record is not set and
// should be ignored.
//
// Sid - Contains the complete Sid of the tranlated SID
//
// DomainIndex - Is the index of an entry in a related
// LSA_REFERENCED_DOMAIN_LIST data structure describing the
// domain in which the account was found.
//
// If there is no corresponding reference domain for an entry, then
// this field will contain a negative value.
//
//
// The following data type is used in SID to name lookup services to
// describe the domains referenced in the lookup operation.
//
typedef struct _LSA_TRANSLATED_NAME {
SID_NAME_USE Use;
LSA_UNICODE_STRING Name;
LONG DomainIndex;
} LSA_TRANSLATED_NAME, *PLSA_TRANSLATED_NAME;
// where the members have the following usage:
//
// Use - Identifies the use of the name. If this value is SidUnknown
// or SidInvalid, then the remainder of the record is not set and
// should be ignored. If this value is SidWellKnownGroup then the
// Name field is invalid, but the DomainIndex field is not.
//
// Name - Contains the isolated name of the translated SID.
//
// DomainIndex - Is the index of an entry in a related
// LSA_REFERENCED_DOMAIN_LIST data structure describing the domain
// in which the account was found.
//
// If there is no corresponding reference domain for an entry, then
// this field will contain a negative value.
//
// end_ntsecapi
//
// The following data type specifies the ways in which a user or member of
// an alias or group may be allowed to access the system. An account may
// be granted zero or more of these types of access to the system.
//
// The types of access are:
//
// Interactive - The user or alias/group member may interactively logon
// to the system.
//
// Network - The user or alias/group member may access the system via
// the network (e.g., through shares).
//
// Service - The user or alias may be activated as a service on the
// system.
//
typedef ULONG POLICY_SYSTEM_ACCESS_MODE, *PPOLICY_SYSTEM_ACCESS_MODE;
#define POLICY_MODE_INTERACTIVE SECURITY_ACCESS_INTERACTIVE_LOGON
#define POLICY_MODE_NETWORK SECURITY_ACCESS_NETWORK_LOGON
#define POLICY_MODE_BATCH SECURITY_ACCESS_BATCH_LOGON
#define POLICY_MODE_SERVICE SECURITY_ACCESS_SERVICE_LOGON
#define POLICY_MODE_PROXY SECURITY_ACCESS_PROXY_LOGON
#define POLICY_MODE_DENY_INTERACTIVE SECURITY_ACCESS_DENY_INTERACTIVE_LOGON
#define POLICY_MODE_DENY_NETWORK SECURITY_ACCESS_DENY_NETWORK_LOGON
#define POLICY_MODE_DENY_BATCH SECURITY_ACCESS_DENY_BATCH_LOGON
#define POLICY_MODE_DENY_SERVICE SECURITY_ACCESS_DENY_SERVICE_LOGON
#define POLICY_MODE_REMOTE_INTERACTIVE SECURITY_ACCESS_REMOTE_INTERACTIVE_LOGON
#define POLICY_MODE_DENY_REMOTE_INTERACTIVE SECURITY_ACCESS_DENY_REMOTE_INTERACTIVE_LOGON
#define POLICY_MODE_ALL (POLICY_MODE_INTERACTIVE | \
POLICY_MODE_NETWORK | \
POLICY_MODE_BATCH | \
POLICY_MODE_SERVICE | \
POLICY_MODE_PROXY | \
POLICY_MODE_DENY_INTERACTIVE | \
POLICY_MODE_DENY_NETWORK | \
SECURITY_ACCESS_DENY_BATCH_LOGON | \
SECURITY_ACCESS_DENY_SERVICE_LOGON | \
POLICY_MODE_REMOTE_INTERACTIVE | \
POLICY_MODE_DENY_REMOTE_INTERACTIVE )
//
// The following is the bits allowed in NT4.0
//
#define POLICY_MODE_ALL_NT4 (POLICY_MODE_INTERACTIVE | \
POLICY_MODE_NETWORK | \
POLICY_MODE_BATCH | \
POLICY_MODE_SERVICE | \
POLICY_MODE_PROXY )
// begin_ntsecapi
//
// The following data type is used to represent the role of the LSA
// server (primary or backup).
//
typedef enum _POLICY_LSA_SERVER_ROLE {
PolicyServerRoleBackup = 2,
PolicyServerRolePrimary
} POLICY_LSA_SERVER_ROLE, *PPOLICY_LSA_SERVER_ROLE;
//
// The following data type is used to specify the auditing options for
// an Audit Event Type.
//
typedef ULONG POLICY_AUDIT_EVENT_OPTIONS, *PPOLICY_AUDIT_EVENT_OPTIONS;
// where the following flags can be set:
//
// POLICY_AUDIT_EVENT_UNCHANGED - Leave existing auditing options
// unchanged for events of this type. This flag is only used for
// set operations. If this flag is set, then all other flags
// are ignored.
//
// POLICY_AUDIT_EVENT_NONE - Cancel all auditing options for events
// of this type. If this flag is set, the success/failure flags
// are ignored.
//
// POLICY_AUDIT_EVENT_SUCCESS - When auditing is enabled, audit all
// successful occurrences of events of the given type.
//
// POLICY_AUDIT_EVENT_FAILURE - When auditing is enabled, audit all
// unsuccessful occurrences of events of the given type.
//
// end_ntsecapi
//
// The following data type is used to return information about privileges
// defined on a system.
//
typedef struct _POLICY_PRIVILEGE_DEFINITION {
LSA_UNICODE_STRING Name;
LUID LocalValue;
} POLICY_PRIVILEGE_DEFINITION, *PPOLICY_PRIVILEGE_DEFINITION;
//
// where the members have the following usage:
//
// Name - Is the architected name of the privilege. This is the
// primary key of the privilege and the only value that is
// transportable between systems.
//
// Luid - is a LUID value assigned locally for efficient representation
// of the privilege. Ths value is meaningful only on the system it
// was assigned on and is not transportable in any way.
//
//
// System Flags for LsaLookupNames2
//
//
// Note the flags start backward so that public values
// don't have gaps.
//
//
// This flag controls LsaLookupNames2 such that isolated names, including
// UPN's are not searched for off the machine. Composite names
// (domain\username) are still sent off machine if necessary.
//
#define LSA_LOOKUP_ISOLATED_AS_LOCAL 0x80000000
// begin_ntsecapi
//
// The following data type defines the classes of Policy Information
// that may be queried/set.
//
typedef enum _POLICY_INFORMATION_CLASS {
PolicyAuditLogInformation = 1,
PolicyAuditEventsInformation,
PolicyPrimaryDomainInformation,
PolicyPdAccountInformation,
PolicyAccountDomainInformation,
PolicyLsaServerRoleInformation,
PolicyReplicaSourceInformation,
PolicyDefaultQuotaInformation,
PolicyModificationInformation,
PolicyAuditFullSetInformation,
PolicyAuditFullQueryInformation,
PolicyDnsDomainInformation,
PolicyDnsDomainInformationInt
} POLICY_INFORMATION_CLASS, *PPOLICY_INFORMATION_CLASS;
//
// The following data type corresponds to the PolicyAuditLogInformation
// information class. It is used to represent information relating to
// the Audit Log.
//
// This structure may be used in both query and set operations. However,
// when used in set operations, some fields are ignored.
//
typedef struct _POLICY_AUDIT_LOG_INFO {
ULONG AuditLogPercentFull;
ULONG MaximumLogSize;
LARGE_INTEGER AuditRetentionPeriod;
BOOLEAN AuditLogFullShutdownInProgress;
LARGE_INTEGER TimeToShutdown;
ULONG NextAuditRecordId;
} POLICY_AUDIT_LOG_INFO, *PPOLICY_AUDIT_LOG_INFO;
// where the members have the following usage:
//
// AuditLogPercentFull - Indicates the percentage of the Audit Log
// currently being used.
//
// MaximumLogSize - Specifies the maximum size of the Audit Log in
// kilobytes.
//
// AuditRetentionPeriod - Indicates the length of time that Audit
// Records are to be retained. Audit Records are discardable
// if their timestamp predates the current time minus the
// retention period.
//
// AuditLogFullShutdownInProgress - Indicates whether or not a system
// shutdown is being initiated due to the security Audit Log becoming
// full. This condition will only occur if the system is configured
// to shutdown when the log becomes full.
//
// TRUE indicates that a shutdown is in progress
// FALSE indicates that a shutdown is not in progress.
//
// Once a shutdown has been initiated, this flag will be set to
// TRUE. If an administrator is able to currect the situation
// before the shutdown becomes irreversible, then this flag will
// be reset to false.
//
// This field is ignored for set operations.
//
// TimeToShutdown - If the AuditLogFullShutdownInProgress flag is set,
// then this field contains the time left before the shutdown
// becomes irreversible.
//
// This field is ignored for set operations.
//
//
// The following data type corresponds to the PolicyAuditEventsInformation
// information class. It is used to represent information relating to
// the audit requirements.
//
typedef struct _POLICY_AUDIT_EVENTS_INFO {
BOOLEAN AuditingMode;
PPOLICY_AUDIT_EVENT_OPTIONS EventAuditingOptions;
ULONG MaximumAuditEventCount;
} POLICY_AUDIT_EVENTS_INFO, *PPOLICY_AUDIT_EVENTS_INFO;
// where the members have the following usage:
//
// AuditingMode - A Boolean variable specifying the Auditing Mode value.
// This value is interpreted as follows:
//
// TRUE - Auditing is to be enabled (set operations) or is enabled
// (query operations). Audit Records will be generated according
// to the Event Auditing Options in effect (see the
// EventAuditingOptions field.
//
// FALSE - Auditing is to be disabled (set operations) or is
// disabled (query operations). No Audit Records will be
// generated. Note that for set operations the Event Auditing
// Options in effect will still be updated as specified by the
// EventAuditingOptions field whether Auditing is enabled or
// disabled.
//
// EventAuditingOptions - Pointer to an array of Auditing Options
// indexed by Audit Event Type.
//
// MaximumAuditEventCount - Specifiesa count of the number of Audit
// Event Types specified by the EventAuditingOptions parameter. If
// this count is less than the number of Audit Event Types supported
// by the system, the Auditing Options for Event Types with IDs
// higher than (MaximumAuditEventCount + 1) are left unchanged.
//
//
// The following structure corresponds to the PolicyAccountDomainInformation
// information class.
//
typedef struct _POLICY_ACCOUNT_DOMAIN_INFO {
LSA_UNICODE_STRING DomainName;
PSID DomainSid;
} POLICY_ACCOUNT_DOMAIN_INFO, *PPOLICY_ACCOUNT_DOMAIN_INFO;
// where the members have the following usage:
//
// DomainName - Is the name of the domain
//
// DomainSid - Is the Sid of the domain
//
//
// The following structure corresponds to the PolicyPrimaryDomainInformation
// information class.
//
typedef struct _POLICY_PRIMARY_DOMAIN_INFO {
LSA_UNICODE_STRING Name;
PSID Sid;
} POLICY_PRIMARY_DOMAIN_INFO, *PPOLICY_PRIMARY_DOMAIN_INFO;
// where the members have the following usage:
//
// Name - Is the name of the domain
//
// Sid - Is the Sid of the domain
//
//
// The following structure corresponds to the PolicyDnsDomainInformation
// information class
//
typedef struct _POLICY_DNS_DOMAIN_INFO
{
LSA_UNICODE_STRING Name;
LSA_UNICODE_STRING DnsDomainName;
LSA_UNICODE_STRING DnsForestName;
GUID DomainGuid;
PSID Sid;
} POLICY_DNS_DOMAIN_INFO, *PPOLICY_DNS_DOMAIN_INFO;
// where the members have the following usage:
//
// Name - Is the name of the Domain
//
// DnsDomainName - Is the DNS name of the domain
//
// DnsForestName - Is the DNS forest name of the domain
//
// DomainGuid - Is the GUID of the domain
//
// Sid - Is the Sid of the domain
//
// The following structure corresponds to the PolicyPdAccountInformation
// information class. This structure may be used in Query operations
// only.
//
typedef struct _POLICY_PD_ACCOUNT_INFO {
LSA_UNICODE_STRING Name;
} POLICY_PD_ACCOUNT_INFO, *PPOLICY_PD_ACCOUNT_INFO;
// where the members have the following usage:
//
// Name - Is the name of an account in the domain that should be used
// for authentication and name/ID lookup requests.
//
//
// The following structure corresponds to the PolicyLsaServerRoleInformation
// information class.
//
typedef struct _POLICY_LSA_SERVER_ROLE_INFO {
POLICY_LSA_SERVER_ROLE LsaServerRole;
} POLICY_LSA_SERVER_ROLE_INFO, *PPOLICY_LSA_SERVER_ROLE_INFO;
// where the fields have the following usage:
//
// TBS
//
//
// The following structure corresponds to the PolicyReplicaSourceInformation
// information class.
//
typedef struct _POLICY_REPLICA_SOURCE_INFO {
LSA_UNICODE_STRING ReplicaSource;
LSA_UNICODE_STRING ReplicaAccountName;
} POLICY_REPLICA_SOURCE_INFO, *PPOLICY_REPLICA_SOURCE_INFO;
//
// The following structure corresponds to the PolicyDefaultQuotaInformation
// information class.
//
typedef struct _POLICY_DEFAULT_QUOTA_INFO {
QUOTA_LIMITS QuotaLimits;
} POLICY_DEFAULT_QUOTA_INFO, *PPOLICY_DEFAULT_QUOTA_INFO;
//
// The following structure corresponds to the PolicyModificationInformation
// information class.
//
typedef struct _POLICY_MODIFICATION_INFO {
LARGE_INTEGER ModifiedId;
LARGE_INTEGER DatabaseCreationTime;
} POLICY_MODIFICATION_INFO, *PPOLICY_MODIFICATION_INFO;
// where the members have the following usage:
//
// ModifiedId - Is a 64-bit unsigned integer that is incremented each
// time anything in the LSA database is modified. This value is
// only modified on Primary Domain Controllers.
//
// DatabaseCreationTime - Is the date/time that the LSA Database was
// created. On Backup Domain Controllers, this value is replicated
// from the Primary Domain Controller.
//
//
// The following structure type corresponds to the PolicyAuditFullSetInformation
// Information Class.
//
typedef struct _POLICY_AUDIT_FULL_SET_INFO {
BOOLEAN ShutDownOnFull;
} POLICY_AUDIT_FULL_SET_INFO, *PPOLICY_AUDIT_FULL_SET_INFO;
//
// The following structure type corresponds to the PolicyAuditFullQueryInformation
// Information Class.
//
typedef struct _POLICY_AUDIT_FULL_QUERY_INFO {
BOOLEAN ShutDownOnFull;
BOOLEAN LogIsFull;
} POLICY_AUDIT_FULL_QUERY_INFO, *PPOLICY_AUDIT_FULL_QUERY_INFO;
//
// The following data type defines the classes of Policy Information
// that may be queried/set that has domain wide effect.
//
typedef enum _POLICY_DOMAIN_INFORMATION_CLASS {
// PolicyDomainQualityOfServiceInformation, // value was used in W2K; no longer supported
PolicyDomainEfsInformation = 2,
PolicyDomainKerberosTicketInformation
} POLICY_DOMAIN_INFORMATION_CLASS, *PPOLICY_DOMAIN_INFORMATION_CLASS;
//
// The following structure corresponds to the PolicyEfsInformation
// information class
//
typedef struct _POLICY_DOMAIN_EFS_INFO {
ULONG InfoLength;
PUCHAR EfsBlob;
} POLICY_DOMAIN_EFS_INFO, *PPOLICY_DOMAIN_EFS_INFO;
//
// where the members have the following usage:
//
// InfoLength - Length of the EFS Information blob
//
// EfsBlob - Efs blob data
//
//
// The following structure corresponds to the PolicyDomainKerberosTicketInformation
// information class
//
#define POLICY_KERBEROS_VALIDATE_CLIENT 0x00000080
typedef struct _POLICY_DOMAIN_KERBEROS_TICKET_INFO {
ULONG AuthenticationOptions;
LARGE_INTEGER MaxServiceTicketAge;
LARGE_INTEGER MaxTicketAge;
LARGE_INTEGER MaxRenewAge;
LARGE_INTEGER MaxClockSkew;
LARGE_INTEGER Reserved;
} POLICY_DOMAIN_KERBEROS_TICKET_INFO, *PPOLICY_DOMAIN_KERBEROS_TICKET_INFO;
//
// where the members have the following usage
//
// AuthenticationOptions -- allowed ticket options (POLICY_KERBEROS_* flags )
//
// MaxServiceTicketAge -- Maximum lifetime for a service ticket
//
// MaxTicketAge -- Maximum lifetime for the initial ticket
//
// MaxRenewAge -- Maximum cumulative age a renewable ticket can be with
// requring authentication
//
// MaxClockSkew -- Maximum tolerance for synchronization of computer clocks
//
// Reserved -- Reserved
//
// The following data type defines the classes of Policy Information / Policy Domain Information
// that may be used to request notification
//
typedef enum _POLICY_NOTIFICATION_INFORMATION_CLASS {
PolicyNotifyAuditEventsInformation = 1,
PolicyNotifyAccountDomainInformation,
PolicyNotifyServerRoleInformation,
PolicyNotifyDnsDomainInformation,
PolicyNotifyDomainEfsInformation,
PolicyNotifyDomainKerberosTicketInformation,
PolicyNotifyMachineAccountPasswordInformation
} POLICY_NOTIFICATION_INFORMATION_CLASS, *PPOLICY_NOTIFICATION_INFORMATION_CLASS;
// end_ntsecapi
//
// Account object type-specific Access Types
//
#define ACCOUNT_VIEW 0x00000001L
#define ACCOUNT_ADJUST_PRIVILEGES 0x00000002L
#define ACCOUNT_ADJUST_QUOTAS 0x00000004L
#define ACCOUNT_ADJUST_SYSTEM_ACCESS 0x00000008L
#define ACCOUNT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
ACCOUNT_VIEW |\
ACCOUNT_ADJUST_PRIVILEGES |\
ACCOUNT_ADJUST_QUOTAS |\
ACCOUNT_ADJUST_SYSTEM_ACCESS)
#define ACCOUNT_READ (STANDARD_RIGHTS_READ |\
ACCOUNT_VIEW)
#define ACCOUNT_WRITE (STANDARD_RIGHTS_WRITE |\
ACCOUNT_ADJUST_PRIVILEGES |\
ACCOUNT_ADJUST_QUOTAS |\
ACCOUNT_ADJUST_SYSTEM_ACCESS)
#define ACCOUNT_EXECUTE (STANDARD_RIGHTS_EXECUTE)
// begin_ntsecapi
//
// LSA RPC Context Handle (Opaque form). Note that a Context Handle is
// always a pointer type unlike regular handles.
//
typedef PVOID LSA_HANDLE, *PLSA_HANDLE;
// end_ntsecapi
//
// Trusted Domain object specific access types
//
#define TRUSTED_QUERY_DOMAIN_NAME 0x00000001L
#define TRUSTED_QUERY_CONTROLLERS 0x00000002L
#define TRUSTED_SET_CONTROLLERS 0x00000004L
#define TRUSTED_QUERY_POSIX 0x00000008L
#define TRUSTED_SET_POSIX 0x00000010L
#define TRUSTED_SET_AUTH 0x00000020L
#define TRUSTED_QUERY_AUTH 0x00000040L
#define TRUSTED_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
TRUSTED_QUERY_DOMAIN_NAME |\
TRUSTED_QUERY_CONTROLLERS |\
TRUSTED_SET_CONTROLLERS |\
TRUSTED_QUERY_POSIX |\
TRUSTED_SET_POSIX |\
TRUSTED_SET_AUTH |\
TRUSTED_QUERY_AUTH)
#define TRUSTED_READ (STANDARD_RIGHTS_READ |\
TRUSTED_QUERY_DOMAIN_NAME)
#define TRUSTED_WRITE (STANDARD_RIGHTS_WRITE |\
TRUSTED_SET_CONTROLLERS |\
TRUSTED_SET_POSIX |\
TRUSTED_SET_AUTH )
#define TRUSTED_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
TRUSTED_QUERY_CONTROLLERS |\
TRUSTED_QUERY_POSIX)
// begin_ntsecapi
//
// Trusted Domain Object specific data types
//
//
// This data type defines the following information classes that may be
// queried or set.
//
typedef enum _TRUSTED_INFORMATION_CLASS {
TrustedDomainNameInformation = 1,
TrustedControllersInformation,
TrustedPosixOffsetInformation,
TrustedPasswordInformation,
TrustedDomainInformationBasic,
TrustedDomainInformationEx,
TrustedDomainAuthInformation,
TrustedDomainFullInformation,
TrustedDomainAuthInformationInternal,
TrustedDomainFullInformationInternal,
TrustedDomainInformationEx2Internal,
TrustedDomainFullInformation2Internal,
} TRUSTED_INFORMATION_CLASS, *PTRUSTED_INFORMATION_CLASS;
//
// The following data type corresponds to the TrustedDomainNameInformation
// information class.
//
typedef struct _TRUSTED_DOMAIN_NAME_INFO {
LSA_UNICODE_STRING Name;
} TRUSTED_DOMAIN_NAME_INFO, *PTRUSTED_DOMAIN_NAME_INFO;
// where members have the following meaning:
//
// Name - The name of the Trusted Domain.
//
//
// The following data type corresponds to the TrustedControllersInformation
// information class.
//
typedef struct _TRUSTED_CONTROLLERS_INFO {
ULONG Entries;
PLSA_UNICODE_STRING Names;
} TRUSTED_CONTROLLERS_INFO, *PTRUSTED_CONTROLLERS_INFO;
// where members have the following meaning:
//
// Entries - Indicate how mamy entries there are in the Names array.
//
// Names - Pointer to an array of LSA_UNICODE_STRING structures containing the
// names of domain controllers of the domain. This information may not
// be accurate and should be used only as a hint. The order of this
// list is considered significant and will be maintained.
//
// By convention, the first name in this list is assumed to be the
// Primary Domain Controller of the domain. If the Primary Domain
// Controller is not known, the first name should be set to the NULL
// string.
//
//
// The following data type corresponds to the TrustedPosixOffsetInformation
// information class.
//
typedef struct _TRUSTED_POSIX_OFFSET_INFO {
ULONG Offset;
} TRUSTED_POSIX_OFFSET_INFO, *PTRUSTED_POSIX_OFFSET_INFO;
// where members have the following meaning:
//
// Offset - Is an offset to use for the generation of Posix user and group
// IDs from SIDs. The Posix ID corresponding to any particular SID is
// generated by adding the RID of that SID to the Offset of the SID's
// corresponding TrustedDomain object.
//
//
// The following data type corresponds to the TrustedPasswordInformation
// information class.
//
typedef struct _TRUSTED_PASSWORD_INFO {
LSA_UNICODE_STRING Password;
LSA_UNICODE_STRING OldPassword;
} TRUSTED_PASSWORD_INFO, *PTRUSTED_PASSWORD_INFO;
typedef LSA_TRUST_INFORMATION TRUSTED_DOMAIN_INFORMATION_BASIC;
typedef PLSA_TRUST_INFORMATION PTRUSTED_DOMAIN_INFORMATION_BASIC;
//
// Direction of the trust
//
#define TRUST_DIRECTION_DISABLED 0x00000000
#define TRUST_DIRECTION_INBOUND 0x00000001
#define TRUST_DIRECTION_OUTBOUND 0x00000002
#define TRUST_DIRECTION_BIDIRECTIONAL (TRUST_DIRECTION_INBOUND | TRUST_DIRECTION_OUTBOUND)
#define TRUST_TYPE_DOWNLEVEL 0x00000001 // NT4 and before
#define TRUST_TYPE_UPLEVEL 0x00000002 // NT5
#define TRUST_TYPE_MIT 0x00000003 // Trust with a MIT Kerberos realm
// #define TRUST_TYPE_DCE 0x00000004 // Trust with a DCE realm
// Levels 0x5 - 0x000FFFFF reserved for future use
// Provider specific trust levels are from 0x00100000 to 0xFFF00000
#define TRUST_ATTRIBUTE_NON_TRANSITIVE 0x00000001 // Disallow transitivity
#define TRUST_ATTRIBUTE_UPLEVEL_ONLY 0x00000002 // Trust link only valid for uplevel client
#define TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0x00000004 // Used to quarantine domains
#define TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0x00000008 // This link may contain forest trust information
#define TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0x00000010 // This trust is to a domain/forest which is not part of this enterprise
#define TRUST_ATTRIBUTE_WITHIN_FOREST 0x00000020 // Trust is internal to this forest
#define TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0x00000040 // Trust is to be treated as external for trust boundary purposes
// Trust attributes 0x00000040 through 0x00200000 are reserved for future use
// Trust attributes 0x00400000 through 0x00800000 were used previously (up to W2K) and should not be re-used
// Trust attributes 0x01000000 through 0x80000000 are reserved for user
#define TRUST_ATTRIBUTES_VALID 0xFF03FFFF
#define TRUST_ATTRIBUTES_USER 0xFF000000
typedef struct _TRUSTED_DOMAIN_INFORMATION_EX {
LSA_UNICODE_STRING Name;
LSA_UNICODE_STRING FlatName;
PSID Sid;
ULONG TrustDirection;
ULONG TrustType;
ULONG TrustAttributes;
} TRUSTED_DOMAIN_INFORMATION_EX, *PTRUSTED_DOMAIN_INFORMATION_EX;
typedef struct _TRUSTED_DOMAIN_INFORMATION_EX2 {
LSA_UNICODE_STRING Name;
LSA_UNICODE_STRING FlatName;
PSID Sid;
ULONG TrustDirection;
ULONG TrustType;
ULONG TrustAttributes;
ULONG ForestTrustLength;
#ifdef MIDL_PASS
[size_is( ForestTrustLength )]
#endif
PUCHAR ForestTrustInfo;
} TRUSTED_DOMAIN_INFORMATION_EX2, *PTRUSTED_DOMAIN_INFORMATION_EX2;
//
// Type of authentication information
//
#define TRUST_AUTH_TYPE_NONE 0 // Ignore this entry
#define TRUST_AUTH_TYPE_NT4OWF 1 // NT4 OWF password
#define TRUST_AUTH_TYPE_CLEAR 2 // Cleartext password
#define TRUST_AUTH_TYPE_VERSION 3 // Cleartext password version number
typedef struct _LSA_AUTH_INFORMATION {
LARGE_INTEGER LastUpdateTime;
ULONG AuthType;
ULONG AuthInfoLength;
PUCHAR AuthInfo;
} LSA_AUTH_INFORMATION, *PLSA_AUTH_INFORMATION;
typedef struct _TRUSTED_DOMAIN_AUTH_INFORMATION {
ULONG IncomingAuthInfos;
PLSA_AUTH_INFORMATION IncomingAuthenticationInformation;
PLSA_AUTH_INFORMATION IncomingPreviousAuthenticationInformation;
ULONG OutgoingAuthInfos;
PLSA_AUTH_INFORMATION OutgoingAuthenticationInformation;
PLSA_AUTH_INFORMATION OutgoingPreviousAuthenticationInformation;
} TRUSTED_DOMAIN_AUTH_INFORMATION, *PTRUSTED_DOMAIN_AUTH_INFORMATION;
typedef struct _TRUSTED_DOMAIN_FULL_INFORMATION {
TRUSTED_DOMAIN_INFORMATION_EX Information;
TRUSTED_POSIX_OFFSET_INFO PosixOffset;
TRUSTED_DOMAIN_AUTH_INFORMATION AuthInformation;
} TRUSTED_DOMAIN_FULL_INFORMATION, *PTRUSTED_DOMAIN_FULL_INFORMATION;
typedef struct _TRUSTED_DOMAIN_FULL_INFORMATION2 {
TRUSTED_DOMAIN_INFORMATION_EX2 Information;
TRUSTED_POSIX_OFFSET_INFO PosixOffset;
TRUSTED_DOMAIN_AUTH_INFORMATION AuthInformation;
} TRUSTED_DOMAIN_FULL_INFORMATION2, *PTRUSTED_DOMAIN_FULL_INFORMATION2;
typedef enum {
ForestTrustTopLevelName,
ForestTrustTopLevelNameEx,
ForestTrustDomainInfo,
ForestTrustRecordTypeLast = ForestTrustDomainInfo
} LSA_FOREST_TRUST_RECORD_TYPE;
//
// Bottom 16 bits of the flags are reserved for disablement reasons
//
#define LSA_FTRECORD_DISABLED_REASONS ( 0x0000FFFFL )
//
// Reasons for a top-level name forest trust record to be disabled
//
#define LSA_TLN_DISABLED_NEW ( 0x00000001L )
#define LSA_TLN_DISABLED_ADMIN ( 0x00000002L )
#define LSA_TLN_DISABLED_CONFLICT ( 0x00000004L )
//
// Reasons for a domain information forest trust record to be disabled
//
#define LSA_SID_DISABLED_ADMIN ( 0x00000001L )
#define LSA_SID_DISABLED_CONFLICT ( 0x00000002L )
#define LSA_NB_DISABLED_ADMIN ( 0x00000004L )
#define LSA_NB_DISABLED_CONFLICT ( 0x00000008L )
typedef struct _LSA_FOREST_TRUST_DOMAIN_INFO {
#ifdef MIDL_PASS
PISID Sid;
#else
PSID Sid;
#endif
LSA_UNICODE_STRING DnsName;
LSA_UNICODE_STRING NetbiosName;
} LSA_FOREST_TRUST_DOMAIN_INFO, *PLSA_FOREST_TRUST_DOMAIN_INFO;
//
// To prevent huge data to be passed in, we should put a limit on LSA_FOREST_TRUST_BINARY_DATA.
// 128K is large enough that can't be reached in the near future, and small enough not to
// cause memory problems.
#define MAX_FOREST_TRUST_BINARY_DATA_SIZE ( 128 * 1024 )
typedef struct _LSA_FOREST_TRUST_BINARY_DATA {
#ifdef MIDL_PASS
[range(0, MAX_FOREST_TRUST_BINARY_DATA_SIZE)] ULONG Length;
[size_is( Length )] PUCHAR Buffer;
#else
ULONG Length;
PUCHAR Buffer;
#endif
} LSA_FOREST_TRUST_BINARY_DATA, *PLSA_FOREST_TRUST_BINARY_DATA;
typedef struct _LSA_FOREST_TRUST_RECORD {
ULONG Flags;
LSA_FOREST_TRUST_RECORD_TYPE ForestTrustType; // type of record
LARGE_INTEGER Time;
#ifdef MIDL_PASS
[switch_type( LSA_FOREST_TRUST_RECORD_TYPE ), switch_is( ForestTrustType )]
#endif
union { // actual data
#ifdef MIDL_PASS
[case( ForestTrustTopLevelName,
ForestTrustTopLevelNameEx )] LSA_UNICODE_STRING TopLevelName;
[case( ForestTrustDomainInfo )] LSA_FOREST_TRUST_DOMAIN_INFO DomainInfo;
[default] LSA_FOREST_TRUST_BINARY_DATA Data;
#else
LSA_UNICODE_STRING TopLevelName;
LSA_FOREST_TRUST_DOMAIN_INFO DomainInfo;
LSA_FOREST_TRUST_BINARY_DATA Data; // used for unrecognized types
#endif
} ForestTrustData;
} LSA_FOREST_TRUST_RECORD, *PLSA_FOREST_TRUST_RECORD;
//
// To prevent forest trust blobs of large size, number of records must be
// smaller than MAX_RECORDS_IN_FOREST_TRUST_INFO
//
#define MAX_RECORDS_IN_FOREST_TRUST_INFO 4000
typedef struct _LSA_FOREST_TRUST_INFORMATION {
#ifdef MIDL_PASS
[range(0, MAX_RECORDS_IN_FOREST_TRUST_INFO)] ULONG RecordCount;
[size_is( RecordCount )] PLSA_FOREST_TRUST_RECORD * Entries;
#else
ULONG RecordCount;
PLSA_FOREST_TRUST_RECORD * Entries;
#endif
} LSA_FOREST_TRUST_INFORMATION, *PLSA_FOREST_TRUST_INFORMATION;
typedef enum {
CollisionTdo,
CollisionXref,
CollisionOther
} LSA_FOREST_TRUST_COLLISION_RECORD_TYPE;
typedef struct _LSA_FOREST_TRUST_COLLISION_RECORD {
ULONG Index;
LSA_FOREST_TRUST_COLLISION_RECORD_TYPE Type;
ULONG Flags;
LSA_UNICODE_STRING Name;
} LSA_FOREST_TRUST_COLLISION_RECORD, *PLSA_FOREST_TRUST_COLLISION_RECORD;
typedef struct _LSA_FOREST_TRUST_COLLISION_INFORMATION {
ULONG RecordCount;
#ifdef MIDL_PASS
[size_is( RecordCount )]
#endif
PLSA_FOREST_TRUST_COLLISION_RECORD * Entries;
} LSA_FOREST_TRUST_COLLISION_INFORMATION, *PLSA_FOREST_TRUST_COLLISION_INFORMATION;
// end_ntsecapi
//
// Secret object specific access types
//
#define SECRET_SET_VALUE 0x00000001L
#define SECRET_QUERY_VALUE 0x00000002L
#define SECRET_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
SECRET_SET_VALUE |\
SECRET_QUERY_VALUE)
#define SECRET_READ (STANDARD_RIGHTS_READ |\
SECRET_QUERY_VALUE)
#define SECRET_WRITE (STANDARD_RIGHTS_WRITE |\
SECRET_SET_VALUE)
#define SECRET_EXECUTE (STANDARD_RIGHTS_EXECUTE)
//
// Global secret object prefix
//
#define LSA_GLOBAL_SECRET_PREFIX L"G$"
#define LSA_GLOBAL_SECRET_PREFIX_LENGTH 2
#define LSA_LOCAL_SECRET_PREFIX L"L$"
#define LSA_LOCAL_SECRET_PREFIX_LENGTH 2
#define LSA_MACHINE_SECRET_PREFIX L"M$"
#define LSA_MACHINE_SECRET_PREFIX_LENGTH \
( ( sizeof( LSA_MACHINE_SECRET_PREFIX ) - sizeof( WCHAR ) ) / sizeof( WCHAR ) )
//
// Secret object specific data types.
//
//
// Secret object limits
//
#define LSA_SECRET_MAXIMUM_COUNT 0x00001000L
#define LSA_SECRET_MAXIMUM_LENGTH 0x00000200L
// begin_ntsecapi
//
// LSA Enumeration Context
//
typedef ULONG LSA_ENUMERATION_HANDLE, *PLSA_ENUMERATION_HANDLE;
//
// LSA Enumeration Information
//
typedef struct _LSA_ENUMERATION_INFORMATION {
PSID Sid;
} LSA_ENUMERATION_INFORMATION, *PLSA_ENUMERATION_INFORMATION;
////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - Miscellaneous API function prototypes //
// //
////////////////////////////////////////////////////////////////////////////
NTSTATUS
NTAPI
LsaFreeMemory(
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaClose(
IN LSA_HANDLE ObjectHandle
);
// end_ntsecapi
NTSTATUS
NTAPI
LsaDelete(
IN LSA_HANDLE ObjectHandle
);
NTSTATUS
NTAPI
LsaQuerySecurityObject(
IN LSA_HANDLE ObjectHandle,
IN SECURITY_INFORMATION SecurityInformation,
OUT PSECURITY_DESCRIPTOR *SecurityDescriptor
);
NTSTATUS
NTAPI
LsaSetSecurityObject(
IN LSA_HANDLE ObjectHandle,
IN SECURITY_INFORMATION SecurityInformation,
IN PSECURITY_DESCRIPTOR SecurityDescriptor
);
NTSTATUS
NTAPI
LsaChangePassword(
IN PLSA_UNICODE_STRING ServerName,
IN PLSA_UNICODE_STRING DomainName,
IN PLSA_UNICODE_STRING AccountName,
IN PLSA_UNICODE_STRING OldPassword,
IN PLSA_UNICODE_STRING NewPassword
);
// begin_ntsecapi
typedef struct _SECURITY_LOGON_SESSION_DATA {
ULONG Size ;
LUID LogonId ;
LSA_UNICODE_STRING UserName ;
LSA_UNICODE_STRING LogonDomain ;
LSA_UNICODE_STRING AuthenticationPackage ;
ULONG LogonType ;
ULONG Session ;
PSID Sid ;
LARGE_INTEGER LogonTime ;
//
// new for whistler:
//
LSA_UNICODE_STRING LogonServer ;
LSA_UNICODE_STRING DnsDomainName ;
LSA_UNICODE_STRING Upn ;
} SECURITY_LOGON_SESSION_DATA, * PSECURITY_LOGON_SESSION_DATA ;
NTSTATUS
NTAPI
LsaEnumerateLogonSessions(
OUT PULONG LogonSessionCount,
OUT PLUID * LogonSessionList
);
NTSTATUS
NTAPI
LsaGetLogonSessionData(
IN PLUID LogonId,
OUT PSECURITY_LOGON_SESSION_DATA * ppLogonSessionData
);
// end_ntsecapi
///////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - Policy Object API function prototypes //
// //
///////////////////////////////////////////////////////////////////////////////
// begin_ntsecapi
NTSTATUS
NTAPI
LsaOpenPolicy(
IN PLSA_UNICODE_STRING SystemName OPTIONAL,
IN PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
IN ACCESS_MASK DesiredAccess,
IN OUT PLSA_HANDLE PolicyHandle
);
// end_ntsecapi
NTSTATUS
NTAPI
LsaOpenPolicySce(
IN PLSA_UNICODE_STRING SystemName OPTIONAL,
IN PLSA_OBJECT_ATTRIBUTES ObjectAttributes,
IN ACCESS_MASK DesiredAccess,
IN OUT PLSA_HANDLE PolicyHandle
);
// begin_ntsecapi
NTSTATUS
NTAPI
LsaQueryInformationPolicy(
IN LSA_HANDLE PolicyHandle,
IN POLICY_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer
);
NTSTATUS
NTAPI
LsaSetInformationPolicy(
IN LSA_HANDLE PolicyHandle,
IN POLICY_INFORMATION_CLASS InformationClass,
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaQueryDomainInformationPolicy(
IN LSA_HANDLE PolicyHandle,
IN POLICY_DOMAIN_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer
);
NTSTATUS
NTAPI
LsaSetDomainInformationPolicy(
IN LSA_HANDLE PolicyHandle,
IN POLICY_DOMAIN_INFORMATION_CLASS InformationClass,
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaRegisterPolicyChangeNotification(
IN POLICY_NOTIFICATION_INFORMATION_CLASS InformationClass,
IN HANDLE NotificationEventHandle
);
NTSTATUS
NTAPI
LsaUnregisterPolicyChangeNotification(
IN POLICY_NOTIFICATION_INFORMATION_CLASS InformationClass,
IN HANDLE NotificationEventHandle
);
// end_ntsecapi
NTSTATUS
NTAPI
LsaClearAuditLog(
IN LSA_HANDLE PolicyHandle
);
NTSTATUS
NTAPI
LsaCreateAccount(
IN LSA_HANDLE PolicyHandle,
IN PSID AccountSid,
IN ACCESS_MASK DesiredAccess,
OUT PLSA_HANDLE AccountHandle
);
NTSTATUS
NTAPI
LsaEnumerateAccounts(
IN LSA_HANDLE PolicyHandle,
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
OUT PVOID *EnumerationBuffer,
IN ULONG PreferedMaximumLength,
OUT PULONG CountReturned
);
NTSTATUS
NTAPI
LsaCreateTrustedDomain(
IN LSA_HANDLE PolicyHandle,
IN PLSA_TRUST_INFORMATION TrustedDomainInformation,
IN ACCESS_MASK DesiredAccess,
OUT PLSA_HANDLE TrustedDomainHandle
);
// begin_ntsecapi
NTSTATUS
NTAPI
LsaEnumerateTrustedDomains(
IN LSA_HANDLE PolicyHandle,
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
OUT PVOID *Buffer,
IN ULONG PreferedMaximumLength,
OUT PULONG CountReturned
);
// end_ntsecapi
NTSTATUS
NTAPI
LsaEnumeratePrivileges(
IN LSA_HANDLE PolicyHandle,
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
OUT PVOID *Buffer,
IN ULONG PreferedMaximumLength,
OUT PULONG CountReturned
);
// begin_ntsecapi
NTSTATUS
NTAPI
LsaLookupNames(
IN LSA_HANDLE PolicyHandle,
IN ULONG Count,
IN PLSA_UNICODE_STRING Names,
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
OUT PLSA_TRANSLATED_SID *Sids
);
NTSTATUS
NTAPI
LsaLookupNames2(
IN LSA_HANDLE PolicyHandle,
IN ULONG Flags, // Reserved
IN ULONG Count,
IN PLSA_UNICODE_STRING Names,
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
OUT PLSA_TRANSLATED_SID2 *Sids
);
NTSTATUS
NTAPI
LsaLookupSids(
IN LSA_HANDLE PolicyHandle,
IN ULONG Count,
IN PSID *Sids,
OUT PLSA_REFERENCED_DOMAIN_LIST *ReferencedDomains,
OUT PLSA_TRANSLATED_NAME *Names
);
// end_ntsecapi
NTSTATUS
NTAPI
LsaCreateSecret(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING SecretName,
IN ACCESS_MASK DesiredAccess,
OUT PLSA_HANDLE SecretHandle
);
///////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - Account Object API function prototypes //
// //
///////////////////////////////////////////////////////////////////////////////
NTSTATUS
NTAPI
LsaOpenAccount(
IN LSA_HANDLE PolicyHandle,
IN PSID AccountSid,
IN ACCESS_MASK DesiredAccess,
OUT PLSA_HANDLE AccountHandle
);
NTSTATUS
NTAPI
LsaEnumeratePrivilegesOfAccount(
IN LSA_HANDLE AccountHandle,
OUT PPRIVILEGE_SET *Privileges
);
NTSTATUS
NTAPI
LsaAddPrivilegesToAccount(
IN LSA_HANDLE AccountHandle,
IN PPRIVILEGE_SET Privileges
);
NTSTATUS
NTAPI
LsaRemovePrivilegesFromAccount(
IN LSA_HANDLE AccountHandle,
IN BOOLEAN AllPrivileges,
IN PPRIVILEGE_SET Privileges
);
NTSTATUS
NTAPI
LsaGetQuotasForAccount(
IN LSA_HANDLE AccountHandle,
OUT PQUOTA_LIMITS QuotaLimits
);
NTSTATUS
NTAPI
LsaSetQuotasForAccount(
IN LSA_HANDLE AccountHandle,
IN PQUOTA_LIMITS QuotaLimits
);
NTSTATUS
NTAPI
LsaGetSystemAccessAccount(
IN LSA_HANDLE AccountHandle,
OUT PULONG SystemAccess
);
NTSTATUS
NTAPI
LsaSetSystemAccessAccount(
IN LSA_HANDLE AccountHandle,
IN ULONG SystemAccess
);
///////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - Trusted Domain Object API function prototypes //
// //
///////////////////////////////////////////////////////////////////////////////
NTSTATUS
NTAPI
LsaOpenTrustedDomain(
IN LSA_HANDLE PolicyHandle,
IN PSID TrustedDomainSid,
IN ACCESS_MASK DesiredAccess,
OUT PLSA_HANDLE TrustedDomainHandle
);
NTSTATUS
NTAPI
LsaQueryInfoTrustedDomain(
IN LSA_HANDLE TrustedDomainHandle,
IN TRUSTED_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer
);
NTSTATUS
NTAPI
LsaSetInformationTrustedDomain(
IN LSA_HANDLE TrustedDomainHandle,
IN TRUSTED_INFORMATION_CLASS InformationClass,
IN PVOID Buffer
);
///////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - Secret Object API function prototypes //
// //
///////////////////////////////////////////////////////////////////////////////
NTSTATUS
NTAPI
LsaOpenSecret(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING SecretName,
IN ACCESS_MASK DesiredAccess,
OUT PLSA_HANDLE SecretHandle
);
NTSTATUS
NTAPI
LsaSetSecret(
IN LSA_HANDLE SecretHandle,
IN OPTIONAL PLSA_UNICODE_STRING CurrentValue,
IN OPTIONAL PLSA_UNICODE_STRING OldValue
);
NTSTATUS
NTAPI
LsaQuerySecret(
IN LSA_HANDLE SecretHandle,
OUT OPTIONAL PLSA_UNICODE_STRING *CurrentValue,
OUT OPTIONAL PLARGE_INTEGER CurrentValueSetTime,
OUT OPTIONAL PLSA_UNICODE_STRING *OldValue,
OUT OPTIONAL PLARGE_INTEGER OldValueSetTime
);
/////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - Privilege Object API Prototypes //
// //
/////////////////////////////////////////////////////////////////////////
NTSTATUS
NTAPI
LsaLookupPrivilegeValue(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING Name,
OUT PLUID Value
);
NTSTATUS
NTAPI
LsaLookupPrivilegeName(
IN LSA_HANDLE PolicyHandle,
IN PLUID Value,
OUT PLSA_UNICODE_STRING *Name
);
NTSTATUS
NTAPI
LsaLookupPrivilegeDisplayName(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING Name,
OUT PLSA_UNICODE_STRING *DisplayName,
OUT PSHORT LanguageReturned
);
/////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - New APIs for NT 4.0 (SUR release) //
// //
/////////////////////////////////////////////////////////////////////////
NTSTATUS
LsaGetUserName(
OUT PLSA_UNICODE_STRING * UserName,
OUT OPTIONAL PLSA_UNICODE_STRING * DomainName
);
NTSTATUS
LsaGetRemoteUserName(
IN OPTIONAL PLSA_UNICODE_STRING SystemName,
OUT PLSA_UNICODE_STRING * UserName,
OUT OPTIONAL PLSA_UNICODE_STRING * DomainName
);
/////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - New APIs for NT 3.51 (PPC release) //
// //
/////////////////////////////////////////////////////////////////////////
// begin_ntsecapi
#define SE_INTERACTIVE_LOGON_NAME TEXT("SeInteractiveLogonRight")
#define SE_NETWORK_LOGON_NAME TEXT("SeNetworkLogonRight")
#define SE_BATCH_LOGON_NAME TEXT("SeBatchLogonRight")
#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight")
#define SE_DENY_INTERACTIVE_LOGON_NAME TEXT("SeDenyInteractiveLogonRight")
#define SE_DENY_NETWORK_LOGON_NAME TEXT("SeDenyNetworkLogonRight")
#define SE_DENY_BATCH_LOGON_NAME TEXT("SeDenyBatchLogonRight")
#define SE_DENY_SERVICE_LOGON_NAME TEXT("SeDenyServiceLogonRight")
#define SE_REMOTE_INTERACTIVE_LOGON_NAME TEXT("SeRemoteInteractiveLogonRight")
#define SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME TEXT("SeDenyRemoteInteractiveLogonRight")
//
// This new API returns all the accounts with a certain privilege
//
NTSTATUS
NTAPI
LsaEnumerateAccountsWithUserRight(
IN LSA_HANDLE PolicyHandle,
IN OPTIONAL PLSA_UNICODE_STRING UserRights,
OUT PVOID *EnumerationBuffer,
OUT PULONG CountReturned
);
//
// These new APIs differ by taking a SID instead of requiring the caller
// to open the account first and passing in an account handle
//
NTSTATUS
NTAPI
LsaEnumerateAccountRights(
IN LSA_HANDLE PolicyHandle,
IN PSID AccountSid,
OUT PLSA_UNICODE_STRING *UserRights,
OUT PULONG CountOfRights
);
NTSTATUS
NTAPI
LsaAddAccountRights(
IN LSA_HANDLE PolicyHandle,
IN PSID AccountSid,
IN PLSA_UNICODE_STRING UserRights,
IN ULONG CountOfRights
);
NTSTATUS
NTAPI
LsaRemoveAccountRights(
IN LSA_HANDLE PolicyHandle,
IN PSID AccountSid,
IN BOOLEAN AllRights,
IN PLSA_UNICODE_STRING UserRights,
IN ULONG CountOfRights
);
///////////////////////////////////////////////////////////////////////////////
// //
// Local Security Policy - Trusted Domain Object API function prototypes //
// //
///////////////////////////////////////////////////////////////////////////////
NTSTATUS
NTAPI
LsaOpenTrustedDomainByName(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING TrustedDomainName,
IN ACCESS_MASK DesiredAccess,
OUT PLSA_HANDLE TrustedDomainHandle
);
NTSTATUS
NTAPI
LsaQueryTrustedDomainInfo(
IN LSA_HANDLE PolicyHandle,
IN PSID TrustedDomainSid,
IN TRUSTED_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer
);
NTSTATUS
NTAPI
LsaSetTrustedDomainInformation(
IN LSA_HANDLE PolicyHandle,
IN PSID TrustedDomainSid,
IN TRUSTED_INFORMATION_CLASS InformationClass,
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaDeleteTrustedDomain(
IN LSA_HANDLE PolicyHandle,
IN PSID TrustedDomainSid
);
NTSTATUS
NTAPI
LsaQueryTrustedDomainInfoByName(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING TrustedDomainName,
IN TRUSTED_INFORMATION_CLASS InformationClass,
OUT PVOID *Buffer
);
NTSTATUS
NTAPI
LsaSetTrustedDomainInfoByName(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING TrustedDomainName,
IN TRUSTED_INFORMATION_CLASS InformationClass,
IN PVOID Buffer
);
NTSTATUS
NTAPI
LsaEnumerateTrustedDomainsEx(
IN LSA_HANDLE PolicyHandle,
IN OUT PLSA_ENUMERATION_HANDLE EnumerationContext,
OUT PVOID *Buffer,
IN ULONG PreferedMaximumLength,
OUT PULONG CountReturned
);
NTSTATUS
NTAPI
LsaCreateTrustedDomainEx(
IN LSA_HANDLE PolicyHandle,
IN PTRUSTED_DOMAIN_INFORMATION_EX TrustedDomainInformation,
IN PTRUSTED_DOMAIN_AUTH_INFORMATION AuthenticationInformation,
IN ACCESS_MASK DesiredAccess,
OUT PLSA_HANDLE TrustedDomainHandle
);
NTSTATUS
NTAPI
LsaQueryForestTrustInformation(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING TrustedDomainName,
OUT PLSA_FOREST_TRUST_INFORMATION * ForestTrustInfo
);
NTSTATUS
NTAPI
LsaSetForestTrustInformation(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING TrustedDomainName,
IN PLSA_FOREST_TRUST_INFORMATION ForestTrustInfo,
IN BOOLEAN CheckOnly,
OUT PLSA_FOREST_TRUST_COLLISION_INFORMATION * CollisionInfo
);
// #define TESTING_MATCHING_ROUTINE
#ifdef TESTING_MATCHING_ROUTINE
NTSTATUS
NTAPI
LsaForestTrustFindMatch(
IN LSA_HANDLE PolicyHandle,
IN ULONG Type,
IN PLSA_UNICODE_STRING Name,
OUT PLSA_UNICODE_STRING * Match
);
#endif
//
// This API sets the workstation password (equivalent of setting/getting
// the SSI_SECRET_NAME secret)
//
NTSTATUS
NTAPI
LsaStorePrivateData(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING KeyName,
IN PLSA_UNICODE_STRING PrivateData
);
NTSTATUS
NTAPI
LsaRetrievePrivateData(
IN LSA_HANDLE PolicyHandle,
IN PLSA_UNICODE_STRING KeyName,
OUT PLSA_UNICODE_STRING * PrivateData
);
ULONG
NTAPI
LsaNtStatusToWinError(
NTSTATUS Status
);
//
// Define a symbol so we can tell if ntifs.h has been included.
//
// begin_ntifs
#ifndef _NTLSA_IFS_
#define _NTLSA_IFS_
#endif
// end_ntifs
//
// SPNEGO package stuff
//
enum NEGOTIATE_MESSAGES {
NegEnumPackagePrefixes = 0,
NegGetCallerName = 1,
NegCallPackageMax
} ;
#define NEGOTIATE_MAX_PREFIX 32
typedef struct _NEGOTIATE_PACKAGE_PREFIX {
ULONG_PTR PackageId ;
PVOID PackageDataA ;
PVOID PackageDataW ;
ULONG_PTR PrefixLen ;
UCHAR Prefix[ NEGOTIATE_MAX_PREFIX ];
} NEGOTIATE_PACKAGE_PREFIX, * PNEGOTIATE_PACKAGE_PREFIX ;
typedef struct _NEGOTIATE_PACKAGE_PREFIXES {
ULONG MessageType ;
ULONG PrefixCount ;
ULONG Offset ; // Offset to array of _PREFIX above
ULONG Pad ; // Align structure for 64-bit
} NEGOTIATE_PACKAGE_PREFIXES, *PNEGOTIATE_PACKAGE_PREFIXES ;
typedef struct _NEGOTIATE_CALLER_NAME_REQUEST {
ULONG MessageType ;
LUID LogonId ;
} NEGOTIATE_CALLER_NAME_REQUEST, *PNEGOTIATE_CALLER_NAME_REQUEST ;
typedef struct _NEGOTIATE_CALLER_NAME_RESPONSE {
ULONG MessageType ;
PWSTR CallerName ;
} NEGOTIATE_CALLER_NAME_RESPONSE, * PNEGOTIATE_CALLER_NAME_RESPONSE ;
// end_ntsecapi
#define NEGOTIATE_ALLOW_NTLM 0x10000000
#define NEGOTIATE_NEG_NTLM 0x20000000
//
// Define parallel structures for WOW64 environment. These
// *must* stay in sync with their complements above.
//
typedef struct _NEGOTIATE_PACKAGE_PREFIX_WOW {
ULONG PackageId ;
ULONG PackageDataA ;
ULONG PackageDataW ;
ULONG PrefixLen ;
UCHAR Prefix[ NEGOTIATE_MAX_PREFIX ];
} NEGOTIATE_PACKAGE_PREFIX_WOW, * PNEGOTIATE_PACKAGE_PREFIX_WOW ;
typedef struct _NEGOTIATE_CALLER_NAME_RESPONSE_WOW {
ULONG MessageType ;
ULONG CallerName ;
} NEGOTIATE_CALLER_NAME_RESPONSE_WOW, * PNEGOTIATE_CALLER_NAME_RESPONSE_WOW ;
NTSTATUS
NTAPI
LsaSetPolicyReplicationHandle(
IN OUT PLSA_HANDLE PolicyHandle
);
#ifdef __cplusplus
}
#endif
#endif // _NTLSA_