3.1.4.5.3 LsarOpenAccount (Opnum 17)
The LsarOpenAccount method is invoked to obtain a handle to an account object.
-
NTSTATUS LsarOpenAccount( [in] LSAPR_HANDLE PolicyHandle, [in] PRPC_SID AccountSid, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE* AccountHandle );
PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.
AccountSid: A SID of the account to be opened.
DesiredAccess: A bitmask specifying accesses to be granted to the opened account at this time.
AccountHandle: Used to return a handle to the opened account object.
Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.
-
Return value/code
Description
0x00000000
STATUS_SUCCESS
The request was successfully completed.
0xC0000022
STATUS_ACCESS_DENIED
The caller does not have the permissions to perform this operation.
0xC000000D
STATUS_INVALID_PARAMETER
Some of the parameters supplied are incorrect. For instance, this can happen when AccountSid is NULL.
0xC0000034
STATUS_OBJECT_NAME_NOT_FOUND
An account with this SID does not exist in the server's database.
0xC0000008
STATUS_INVALID_HANDLE
PolicyHandle is not a valid handle.
Processing:
This message takes four arguments:
PolicyHandle: An open handle to the policy object. If the handle is not a valid context handle to the policy object or PolicyHandle.HandleType does not equal "Policy", the server MUST return STATUS_INVALID_HANDLE. PolicyHandle.GrantedAccess MUST NOT be considered for this call, because the access check MUST happen on the account object.
AccountSid: The SID of the account to be opened. The server MUST verify that the SID is valid and fail the request with STATUS_INVALID_PARAMETER otherwise. The server MUST verify that the account object with this SID exists in its policy database and fail the request with STATUS_OBJECT_NAME_NOT_FOUND otherwise.
DesiredAccess: A bitmask specifying the type of access the caller attempts to obtain from the account object, which is access-checked according to section 3.1.4.2.1. The method-specific portion of the check is the following.
-
IF (IsRequestorAnonymous() and LsaRestrictAnonymous is set to TRUE) THEN Return STATUS_OBJECT_NAME_NOT_FOUND END IF
The valid account rights bits are specified in section 2.2.1.1.3, and the security descriptor is specified in section 3.1.1.3. The IsRequestorAnonymous procedure is specified in section 3.1.4.2.3.
AccountHandle: If the request is successful, this parameter is used to return a handle (section 3.1.1.7) to the opened account object with its fields initialized as follows:
LsaContextHandle.HandleType = "Account"
LsaContextHandle.Object = the account object
LsaContextHandle.GrantedAccess = as specified in section 3.1.4.2.1