Export (0) Print
Expand All

Security Management Functions

This section contains topics for the following groups of functions:

Attachment Callback Functions

The following support functions are provided by the Security Configuration tool set and may be used by attachment engines and extension snap-ins to read and write configuration data.

Callback functionDescription

PFSCE_FREE_INFO

Used to free memory allocated by these support functions.

PFSCE_LOG_INFO

Used to log message to the configuration log file or analysis log file.

PFSCE_QUERY_INFO

Used to query the configuration and analysis information for a specific service.

PFSCE_SET_INFO

Used to set configuration and analysis information for a specific service.

 

Attachment Engine Functions

FunctionDescription

SceSvcAttachmentAnalyze

Implemented by the attachment engine DLL. The Security Configuration Engine calls this function when the system is analyzed.

SceSvcAttachmentConfig

Implemented by the attachment engine DLL. The Security Configuration Engine calls this function when the system is configured.

SceSvcAttachmentUpdate

Implemented by the attachment engine DLL. The Security Configuration Engine calls this function when it receives a configuration update request from the attachment snap-in extension.

 

LSA Policy Functions

The following topics provide reference information for the Local Security Authority (LSA) Policy functions.

TopicDescription

Policy Functions

Details functions used to open the local Policy object and to set or retrieve global policy information.

Account Functions

Details functions used to manage account permissions and to create and delete user accounts.

Trusted Domain Functions

Details functions used to create and delete trusted domain relationships and to set and retrieve information about those trusted domains.

Private Data Functions

Do not use the LSA private data functions. Instead, use the CryptProtectData and CryptUnprotectData functions.

Miscellaneous Functions

Details functions not described elsewhere.

 

Policy Functions

The following functions enumerate user accounts and trusted domains, receive policy change notifications, and lookup account names and SIDs.

FunctionDescription

LsaEnumerateAccountsWithUserRight

Enumerates all the accounts that have a specified user permission.

LsaEnumerateTrustedDomainsEx

Enumerates the trusted domains.

LsaLookupNames

Maps the specified names to their SIDs. Returns the SID as an RID/Domain SID pair.

LsaLookupNames2

Maps the specified names to their SIDs. Returns the SID as a single element.

LsaLookupPrivilegeValue

Retrieves the locally unique identifier (LUID) used by the Local Security Authority (LSA) to represent the specified privilege name.

LsaLookupSids

Maps the specified account names to their SIDs.

LsaRegisterPolicyChangeNotification

Registers an event object to receive notifications when the local policy information changes.

LsaUnregisterPolicyChangeNotification

Unregisters an event object that is receiving policy change notifications.

 

Account Functions

The following functions add, enumerate, and delete permissions for an account.

FunctionDescription

LsaAddAccountRights

Add permissions to an account. If the account does not already exist, it is created.

LsaEnumerateAccountRights

Enumerate the permissions granted to an account.

LsaRemoveAccountRights

Remove permissions from an account. When all the permissions are removed, the account is deleted.

 

Trusted Domain Functions

The following functions create, enumerate, and delete trusted domains and set and retrieve trusted domain information.

FunctionDescription

LsaCreateTrustedDomainEx

Creates a new TrustedDomain object.

LsaDeleteTrustedDomain

Removes a TrustedDomain object.

LsaEnumerateTrustedDomains

LsaEnumerateTrustedDomainsEx

Enumerates the domains currently trusted by the local system.

LsaOpenTrustedDomainByName

Opens a handle to a TrustedDomain object.

LsaQueryTrustedDomainInfo

Retrieves information about a trusted domain. The domain is specified by SID.

LsaQueryTrustedDomainInfoByName

Retrieves information about a trusted domain. The domain is specified by name.

LsaSetTrustedDomainInfoByName

Sets information for a trusted domain. The domain is specified by name.

LsaSetTrustedDomainInformation

Sets information for a trusted domain. The domain is specified by SID.

 

Private Data Functions

Do not use the LSA private data functions. Instead, use the CryptProtectData and CryptUnprotectData functions.

FunctionDescription

LsaRetrievePrivateData

Retrieves and decrypts a string.

LsaStorePrivateData

Encrypts and stores a string.

 

Miscellaneous Functions

The LSA Policy API has the following three functions that do not fit into any of the other LSA Policy function categories.

FunctionDescription

LsaClose

Closes a handle to a Policy object or a TrustedDomain object.

LsaFreeMemory

Frees a buffer allocated by an LSA function.

LsaNtStatusToWinError

Converts an NTSTATUS value to a Windows error code.

 

Managed Service Account Functions

The following functions are used to create, enumerate, find, and delete managed service accounts.

FunctionDescription

NetAddServiceAccount

Creates a managed service account.

NetEnumerateServiceAccounts

Enumerates the server accounts on the specified server.

NetIsServiceAccount

Tests whether the specified service account exists in the Netlogon store on the specified server.

NetRemoveServiceAccount

Deletes the specified service account from the Active Directory database.

 

Password Filter Functions

The following password filter functions are implemented by custom password filter DLLs to provide password filtering and password change notification.

FunctionDescription

InitializeChangeNotify

Indicates that a password filter DLL is initialized.

PasswordChangeNotify

Indicates that a password has been changed.

PasswordFilter

Validates a new password based on password policy.

 

Safer Functions

The following Safer functions can be used to check the safer level of any executable and to log events.

FunctionDescription
SaferCloseLevel

Closes a SAFER_LEVEL_HANDLE opened by using the SaferIdentifyLevel function or the SaferCreateLevel function.

SaferComputeTokenFromLevel

Restricts a token using restrictions specified by a SAFER_LEVEL_HANDLE.

SaferCreateLevel

Opens a SAFER_LEVEL_HANDLE.

SaferGetLevelInformation

Retrieves information about a policy level.

SaferGetPolicyInformation

Retrieves information about a policy.

SaferIdentifyLevel

Retrieves information about a level.

SaferiIsExecutableFileType

Determines whether a specified file is an executable file.

SaferRecordEventLogEntry

Sends a message to the event log.

SaferSetLevelInformation

Sets the information about a policy level.

SaferSetPolicyInformation

Sets the global policy controls.

 

 

 

Community Additions

ADD
Show:
© 2014 Microsoft