LsarOpenPolicy2 (Opnum 44)

The LsarOpenPolicy2 method opens a context handle to the RPC server. This is the first function that MUST be called to contact the Local Security Authority (Domain Policy) Remote Protocol database.

 NTSTATUS LsarOpenPolicy2(
   [in, unique, string] wchar_t* SystemName,
   [in] PLSAPR_OBJECT_ATTRIBUTES ObjectAttributes,
   [in] ACCESS_MASK DesiredAccess,
   [out] LSAPR_HANDLE* PolicyHandle

SystemName: This parameter does not have any effect on message processing in any environment. It MUST be ignored on receipt.

ObjectAttributes: This parameter does not have any effect on message processing in any environment. All fields MUST<54> be ignored except RootDirectory which MUST be NULL.

DesiredAccess: An ACCESS_MASK value that specifies the requested access rights that MUST be granted on the returned PolicyHandle if the request is successful.

PolicyHandle: An RPC context handle (as specified in section that represents a reference to the abstract data model of a policy object, as specified in section

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing below.

Return value/code




The request was successfully completed.



The caller does not have the permissions to perform this operation.



One of the supplied parameters is incorrect. For example, this can happen when ObjectAttributes is NULL or DesiredAccess is zero.


DesiredAccess: A bitmask specifying the access that the caller attempts to obtain on the policy object, which is access-checked according to section The method-specific portion of the check is the following:

 LET serverInfo be a SERVER_INFO_101 structure
 CALL ServerGetInfo(101, &serverInfo)
 LET isDomainController be a boolean initialized to FALSE
 IF (serverInfo.sv101_version_type & (SV_TYPE_DOMAIN_CTRL | SV_TYPE_DOMAIN_BAKCTRL)) THEN
     Set isDomainController equal to TRUE
 IF ((isDomainController equals FALSE) and (IsRequestorAnonymous() and LsaRestrictAnonymous is set to TRUE)) THEN

SERVER_INFO_101, SV_TYPE_DOMAIN_CTRL, and SV_TYPE_DOMAIN_BACKCTRL are specified in [MS-DTYP] section 2.3.12. The ServerGetInfo procedure is specified in [MS-DTYP] section 2.6. The valid account-rights bits are specified in section, and the security descriptor is specified in section  The IsRequestorAnonymous procedure is specified in section

PolicyHandle: If the request is successful, the server MUST create and return a context handle (section via PolicyHandle, with its fields initialized as follows:

  • LsaContextHandle.HandleType = "Policy"

  • LsaContextHandle.Object = the policy object

  • LsaContextHandle.GrantedAccess = as specified in section

The return value MUST be set to STATUS_SUCCESS in this case.