3.1.4.5.10 LsarEnumerateAccountRights (Opnum 36)
The LsarEnumerateAccountRights method is invoked to retrieve a list of rights associated with an existing account.
-
NTSTATUS LsarEnumerateAccountRights( [in] LSAPR_HANDLE PolicyHandle, [in] PRPC_SID AccountSid, [out] PLSAPR_USER_RIGHT_SET UserRights );
PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.
AccountSid: A SID of the account object that the caller is inquiring about.
UserRights: Used to return a list of right names associated with the account.
Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.
-
Return value/code
Description
0x00000000
STATUS_SUCCESS
The request was successfully completed.
0xC0000022
STATUS_ACCESS_DENIED
The caller does not have the permissions to perform this operation.
0xC000000D
STATUS_INVALID_PARAMETER
One or more of the supplied parameters was invalid.
0xC0000034
STATUS_OBJECT_NAME_NOT_FOUND
The specified account object does not exist.
0xC0000008
STATUS_INVALID_HANDLE
PolicyHandle is not a valid handle.
Processing:
This message takes two arguments:
PolicyHandle: An open handle to the policy object. If the handle is not a valid context handle to the policy object or PolicyHandle.HandleType does not equal "Policy", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that PolicyHandle grants access as specified in section 3.1.4.2.2 with RequiredAccess set to ACCOUNT_VIEW.
AccountSid: A SID of the account to query. The server MUST verify that the SID pointed to by AccountSid is valid and fail the request with STATUS_INVALID_PARAMETER otherwise. If IsRequestorAnonymous() returns TRUE (section 3.1.4.2.3) and LsaRestrictAnonymous is set to TRUE, the call MUST fail with STATUS_OBJECT_NAME_NOT_FOUND. The server MUST verify that such an account exists in its database and fail the request with STATUS_OBJECT_NAME_NOT_FOUND otherwise.
The server MUST return the string names of all the system access rights and privileges associated with the account. It is valid for the server to return an empty set if the account object does not contain any rights.