3.1.4.7.13 LsarQueryInfoTrustedDomain (Opnum 26)

  • Article

The LsarQueryInfoTrustedDomain method is invoked to retrieve information about the trusted domain object.

 NTSTATUS LsarQueryInfoTrustedDomain(
   [in] LSAPR_HANDLE TrustedDomainHandle,
   [in] TRUSTED_INFORMATION_CLASS InformationClass,
   [out, switch_is(InformationClass)] 
     PLSAPR_TRUSTED_DOMAIN_INFO* TrustedDomainInformation
 );

TrustedDomainHandle: An open trusted domain object handle.

InformationClass: One of the TRUSTED_INFORMATION_CLASS values indicating the type of information the caller is interested in.

TrustedDomainInformation: Used to return requested information about the trusted domain object.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.

Return value/code

Description

0x00000000

STATUS_SUCCESS

The request was successfully completed.

0xC0000022

STATUS_ACCESS_DENIED

The caller does not have the permissions to perform this operation.

0xC000000D

STATUS_INVALID_PARAMETER

One of the arguments supplied to the function was invalid.

0xC0000003

STATUS_INVALID_INFO_CLASS

The InformationClass argument is outside the allowed range.

0xC0000008

STATUS_INVALID_HANDLE

TrustedDomainHandle is not a valid handle.

Processing:

This message takes three arguments:

TrustedDomainHandle: An open handle to a trusted domain object. If the handle is not a valid context handle to a trusted domain object or TrustedDomainHandle.HandleType does not equal "Trusted Domain", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that TrustedDomainHandle grants access as specified in section 3.1.4.2.2. The following table specifies the RequiredAccess value to use in this access check for each InformationClass value, or indicates if no processing is supported, regardless of access granted. There are several methods in the Local Security Authority (Domain Policy) Remote Protocol that query trusted domain information. All of them enforce the same rights assignments based on information class as described in the following table.

Value of InformationClass parameter

RequiredAccess value

TrustedDomainNameInformation

TrustedDomainInformationBasic

TrustedDomainInformationEx

TrustedDomainInformationEx2Internal

TRUSTED_QUERY_DOMAIN_NAME

TrustedControllersInformation

Does not apply: This information class is obsolete and cannot be set or queried. The server MUST return STATUS_INVALID_PARAMETER.

TrustedPosixOffsetInformation

TrustedDomainSupportedEncryptionTypes

TRUSTED_QUERY_POSIX

TrustedPasswordInformation

TrustedDomainAuthInformation

TrustedDomainAuthInformationInternal

TRUSTED_QUERY_AUTH

TrustedDomainFullInformation

TrustedDomainFullInformationInternal

TrustedDomainFullInformation2Internal

TRUSTED_QUERY_DOMAIN_NAME | TRUSTED_QUERY_POSIX | TRUSTED_QUERY_AUTH

InformationClass: A value from the TRUSTED_INFORMATION_CLASS enumeration specifying what type of information the caller is requesting. Not all values are valid. For values outside the TRUSTED_INFORMATION_CLASS range, the server MUST reject the request with STATUS_INVALID_PARAMETER. Information class values TrustedDomainAuthInformationInternal and TrustedDomainFullInformationInternal MUST be rejected with STATUS_INVALID_INFO_CLASS.

TrustedDomainInformation: Used to return the data requested by the caller, in a structure form corresponding to the InformationClass parameter. Information MUST be collected from the abstract data model specified in section 3.1.1.5.

Value of InformationClass parameter

Information to return

TrustedDomainNameInformation

Flat Name

TrustedPosixOffsetInformation

Posix Offset

TrustedDomainInformationEx

Name

Flat Name

Security Identifier

Posix Offset

Trust Type

Trust Direction

Trust Attributes

TrustedDomainAuthInformation

TrustedDomainAuthInformationInternal

TrustedDomainFullInformationInternal

Not applicable: This information class cannot be queried. Server MUST return STATUS_INVALID_INFO_CLASS.

TrustedDomainFullInformation

Name

Flat Name

Security Identifier

Posix Offset

Trust Type

Trust Direction

Trust Attributes

Trust Incoming and Outgoing Password values MUST be set to 0.

TrustedDomainFullInformation2Internall

Name

Flat Name

Security Identifier

Posix Offset

Trust Type

Trust Direction

Trust Attributes

Forest Trust Attributes, as stored in Active Directory under the msDs-TrustForestTrustInfo attribute ([MS-ADTS] section 6.1.6.9.3).

Trust Incoming and Outgoing Password values MUST be set to 0.

TrustedDomainSupportedEncryptionTypes

Supported Encryption Types

Other values

Server MUST return STATUS_INVALID_PARAMETER.

If the server is not at DS_BEHAVIOR_WIN2003 forest functional level, the presence of the TRUST_ATTRIBUTE_FOREST_TRANSITIVE bit in the Trust Attributes field of a trusted domain object MUST NOT be returned by the server.<106>