4.1 Manipulating Account Objects

This section illustrates a message exchange pertaining to account objects.

  1. Message 1: Open the policy object.

    Direction and method

    Parameter field

    Parameter value

    Send

    LsarOpenPolicy2

    SystemName

    "Arbitrary String"

    Send

    LsarOpenPolicy2

    ObjectAttributes

    Ignored, except for the RootDirectory field, which is NULL.

    Send

    LsarOpenPolicy2

    DesiredAccess

    POLICY_VIEW_LOCAL_INFORMATION | POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES

  2. Message 2: Success; return the policy object handle.

    Direction and method

    Parameter field

    Parameter value

    Receive

    LsarOpenPolicy2

    Status

    STATUS_SUCCESS

    Receive

    LsarOpenPolicy2

    PolicyHandle

    [Implementation-specific value]

  3. Message 3: Attempt to create an account object with security identifier (SID) S-1-5-21-123-123-123-1005.

    Direction and method

    Parameter field

    Parameter value

    Send

    LsarCreateAccount

    PolicyHandle

    [Implementation-specific value returned in Step 2.]

    Send

    LsarCreateAccount

    AccountSid

    "S-1-5-21-123-123-123-1005"

    Send

    LsarCreateAccount

    DesiredAccess

    READ_CONTROL | WRITE_DAC | ACCOUNT_ADJUST_PRIVILEGES | ACCOUNT_ADJUST_SYSTEM_ACCESS | ACCOUNT_VIEW

  4. Message 4: Failure: Account already exists.

    Direction and method

    Parameter field

    Parameter value

    Receive

    LsarCreateAccount

    Status

    STATUS_OBJECT_NAME_COLLISION

    Receive

    LsarCreateAccount

    AccountHandle

    NULL

  5. Message 5: Attempt to open the account object with SID S-1-5-21-123-123-123-1005.

    Direction and method

    Parameter field

    Parameter value

    Send

    LsarOpenAccount

    PolicyHandle

    [Implementation-specific value]

    Send

    LsarOpenAccount

    AccountSid

    "S-1-5-21-123-123-123-1005"

    Send

    LsarOpenAccount

    DesiredAccess

    READ_CONTROL | WRITE_DAC | ACCOUNT_ADJUST_PRIVILEGES | ACCOUNT_ADJUST_SYSTEM_ACCESS | ACCOUNT_VIEW

  6. Message 6: Success: Return the account object handle.

    Direction and method

    Parameter field

    Parameter value

    Receive

    LsarOpenAccount

    Status

    STATUS_SUCCESS

    Receive

    LsarOpenAccount

    AccountHandle

    [Implementation-specific value]

  7. Message 7: Retrieve the security descriptor of the account object.

    Direction and method

    Parameter field

    Parameter value

    Send

    LsarQuerySecurityObject

    ObjectHandle

    [Implementation-specific value returned in Step 6.]

    Send

    LsarQuerySecurityObject

    SecurityInformation

    DACL_SECURITY_INFORMATION

  8. Message 8: Success: Return the security descriptor.

    Direction and method

    Parameter field

    Parameter value

    Receive

    LsarQuerySecurityObject

    Status

    STATUS_SUCCESS

    Receive

    LsarQuerySecurityObject

    SecurityDescriptor

    Security descriptor of the account object in self-relative form.

  9. Message 9: Update the discretionary access control list (DACL) on the account object.

    Direction and method

    Parameter field

    Parameter value

    Send

    LsarSetSecurityObject

    ObjectHandle

    [Implementation-specific value returned in Step 6.]

    Send

    LsarSetSecurityObject

    SecurityInformation

    DACL_SECURITY_INFORMATION

    Send

    LsarSetSecurityObject

    SecurityDescriptor

    Security descriptor representation of the DACL in self-relative form.

  10. Message 10: Success: Security descriptor of the account object has been updated.

    Direction and method

    Parameter field

    Parameter value

    Receive

    LsarSetSecurityObject

    Status

    STATUS_SUCCESS

  11. Message 11: Retrieve the Locally Unique Identifier (LUID) that the server assigns to the "SeTcbPrivilege" privilege.

    Direction and method

    Parameter field

    Parameter value

    Send

    LsarLookupPrivilegeValue

    PolicyHandle

    [Implementation-specific value returned in Step 2.]

    Send

    LsarLookupPrivilegeValue

    Name

    "SeTcbPrivilege"

  12. Message 12: Success: Return the LUID of SeTcbPrivilege.

    Direction and method

    Parameter field

    Parameter value

    Receive

    LsarLookupPrivilegeValue

    Status

    STATUS_SUCCESS

    Receive

    LsarLookupPrivilegeValue

    Value

    The LUID assigned by the server to SeTcbPrivilege.

  13. Message 13: Add a privilege to the account object.

    Direction and method

    Parameter field

    Parameter value

    Send

    LsarAddPrivilegesToAccount

    AccountHandle

    [Implementation-specific value returned in Step 6.]

    Send

    LsarAddPrivilegesToAccount

    Privileges

    A LSAPR_PRIVILEGE_SET structure containing one privilege (the LUID of which was returned in Step 12).

  14. Message 14: Success: Privilege has been added to the account object.

    Direction and method

    Parameter field

    Parameter value

    Receive

    LsarAddPrivilegesToAccount

    Status

    STATUS_SUCCESS

  15. Message 15: Add a system access right to the account object.

    Direction and method

    Parameter field

    Parameter value

    Send

    LsarSetSystemAccessAccount

    AccountHandle

    [Implementation-specific value returned in Step 6.]

    Send

    LsarSetSystemAccessAccount

    SystemAccess

    An unsigned long value with the POLICY_MODE_NETWORK flag set

  16. Message 16: Success: Access right has been recorded.

    Direction and method

    Parameter field

    Parameter value

    Receive

    LsarSetSystemAccessAccount

    Status

    STATUS_SUCCESS

  17. Message 17: Done with this account object: Close the handle.

    Direction and method

    Parameter field

    Parameter value

    Send

    LsarClose

    ObjectHandle

    [Implementation-specific value returned in Step 6.]

  18. Message 18: Success: Account objects handle has been closed.

    Direction and method

    Parameter field

    Parameter value

    Receive

    LsarClose

    Status

    STATUS_SUCCESS

  19. Message 19: Done with the policy object: Close the handle.

    Direction and method

    Parameter field

    Parameter value

    Send

    LsarClose

    ObjectHandle

    [Implementation-specific value returned in Step 2.]

  20. Message 20: Success: Policy object has been closed.

    Direction and method

    Parameter field

    Parameter value

    Receive

    LsarClose

    Status

    STATUS_SUCCESS

Show: