3.1.4.4.7 LsarQueryDomainInformationPolicy (Opnum 53)

  • Article

The LsarQueryDomainInformationPolicy method is invoked to retrieve policy settings in addition to those exposed through LsarQueryInformationPolicy and LsarSetInformationPolicy2. Despite the term "Domain" in the name of the method, processing of this message occurs with local data, and furthermore, there is no requirement that this data have any relationship with the LSA information in the domain to which the machine is joined.

 NTSTATUS LsarQueryDomainInformationPolicy(
   [in] LSAPR_HANDLE PolicyHandle,
   [in] POLICY_DOMAIN_INFORMATION_CLASS InformationClass,
   [out, switch_is(InformationClass)] 
     PLSAPR_POLICY_DOMAIN_INFORMATION* PolicyDomainInformation
 );

PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.

InformationClass: A parameter that specifies what type of information the caller is requesting.

PolicyDomainInformation: A parameter that references policy information structure on return.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.

Return value/code

Description

0x00000000

STATUS_SUCCESS

The request was successfully completed.

0xC0000022

STATUS_ACCESS_DENIED

The caller does not have the permissions to perform this operation.

0xC000000D

STATUS_INVALID_PARAMETER

One of the supplied arguments was invalid.

0xC0000034

STATUS_OBJECT_NAME_NOT_FOUND

No value has been set for this policy.

0xC0000008

STATUS_INVALID_HANDLE

PolicyHandle is not a valid handle.

Processing:

If the InformationClass parameter is PolicyDomainEfsInformation, and the responder does not support Encrypting File System (EFS) Policy Information as specified in section 3.1.1.1, the request MUST fail with STATUS_OBJECT_NAME_NOT_FOUND.

If the InformationClass parameter is PolicyDomainQualityOfServiceInformation, and the responder implementation does not support Quality Of Service Information as specified in section 3.1.1.1, the request MUST fail with STATUS_INVALID_PARAMETER.

If PolicyHandle is not a valid context handle or PolicyHandle.HandleType does not equal "Policy", the server MUST return STATUS_INVALID_HANDLE.

The server MUST verify that PolicyHandle grants access as specified in section 3.1.4.2.2. The following table specifies the RequiredAccess value to use in this access check for each InformationClass value.

InformationClass value

RequiredAccess value

PolicyDomainQualityOfServiceInformation

POLICY_VIEW_AUDIT_INFORMATION

PolicyDomainEfsInformation

POLICY_VIEW_LOCAL_INFORMATION

PolicyDomainKerberosTicketInformation

POLICY_VIEW_LOCAL_INFORMATION

The InformationClass parameter can take on any value in the POLICY_DOMAIN_INFORMATION_CLASS enumeration range. For all values outside this range, the server MUST return the STATUS_INVALID_PARAMETER error code.

PolicyDomainInformation is an output parameter. The server MUST fill it with the information requested by the client, based on the value of the InformationClass parameter and the abstract data model specified in section 3.1.1.1. If the information has not been set before, the request MUST fail with STATUS_OBJECT_NAME_NOT_FOUND.

Value of InformationClass parameter

Information returned to caller from abstract data model

PolicyDomainQualityOfServiceInformation

Quality Of Service Information

PolicyDomainEfsInformation

EFS Policy Information

PolicyDomainKerberosTicketInformation

Kerberos Policy Information