Security Management Functions
This section contains topics for the following groups of functions:
- Attachment Callback Functions
- Attachment Engine Functions
- LSA Policy Functions
- Managed Service Account Functions
- Password Filter Functions
- Safer Functions
Attachment Callback Functions
The following support functions are provided by the Security Configuration tool set and may be used by attachment engines and extension snap-ins to read and write configuration data.
| Callback function | Description |
|---|---|
|
Used to free memory allocated by these support functions. | |
|
Used to log message to the configuration log file or analysis log file. | |
|
Used to query the configuration and analysis information for a specific service. | |
|
Used to set configuration and analysis information for a specific service. |
Attachment Engine Functions
| Function | Description |
|---|---|
|
Implemented by the attachment engine DLL. The Security Configuration Engine calls this function when the system is analyzed. | |
|
Implemented by the attachment engine DLL. The Security Configuration Engine calls this function when the system is configured. | |
|
Implemented by the attachment engine DLL. The Security Configuration Engine calls this function when it receives a configuration update request from the attachment snap-in extension. |
LSA Policy Functions
The following topics provide reference information for the Local Security Authority (LSA) Policy functions.
| Topic | Description |
|---|---|
|
Policy Functions |
Details functions used to open the local Policy object and to set or retrieve global policy information. |
|
Account Functions |
Details functions used to manage account permissions and to create and delete user accounts. |
|
Trusted Domain Functions |
Details functions used to create and delete trusted domain relationships and to set and retrieve information about those trusted domains. |
|
Private Data Functions |
Do not use the LSA private data functions. Instead, use the CryptProtectData and CryptUnprotectData functions. |
|
Miscellaneous Functions |
Details functions not described elsewhere. |
Policy Functions
The following functions enumerate user accounts and trusted domains, receive policy change notifications, and lookup account names and SIDs.
| Function | Description |
|---|---|
|
Enumerates all the accounts that have a specified user permission. | |
|
Enumerates the trusted domains. | |
|
Maps the specified names to their SIDs. Returns the SID as an RID/Domain SID pair. | |
|
Maps the specified names to their SIDs. Returns the SID as a single element. | |
|
Retrieves the locally unique identifier (LUID) used by the Local Security Authority (LSA) to represent the specified privilege name. | |
|
Maps the specified account names to their SIDs. | |
|
Registers an event object to receive notifications when the local policy information changes. | |
|
Unregisters an event object that is receiving policy change notifications. |
Account Functions
The following functions add, enumerate, and delete permissions for an account.
| Function | Description |
|---|---|
|
Add permissions to an account. If the account does not already exist, it is created. | |
|
Enumerate the permissions granted to an account. | |
|
Remove permissions from an account. When all the permissions are removed, the account is deleted. |
Trusted Domain Functions
The following functions create, enumerate, and delete trusted domains and set and retrieve trusted domain information.
| Function | Description |
|---|---|
|
Creates a new TrustedDomain object. | |
|
Removes a TrustedDomain object. | |
|
Enumerates the domains currently trusted by the local system. | |
|
Opens a handle to a TrustedDomain object. | |
|
Retrieves information about a trusted domain. The domain is specified by SID. | |
|
Retrieves information about a trusted domain. The domain is specified by name. | |
|
Sets information for a trusted domain. The domain is specified by name. | |
|
Sets information for a trusted domain. The domain is specified by SID. |
Private Data Functions
Do not use the LSA private data functions. Instead, use the CryptProtectData and CryptUnprotectData functions.
| Function | Description |
|---|---|
|
Retrieves and decrypts a string. | |
|
Encrypts and stores a string. |
Miscellaneous Functions
The LSA Policy API has the following three functions that do not fit into any of the other LSA Policy function categories.
| Function | Description |
|---|---|
|
Closes a handle to a Policy object or a TrustedDomain object. | |
|
Frees a buffer allocated by an LSA function. | |
|
Converts an NTSTATUS value to a Windows error code. |
Managed Service Account Functions
The following functions are used to create, enumerate, find, and delete managed service accounts.
| Function | Description |
|---|---|
|
Creates a managed service account. | |
|
Enumerates the server accounts on the specified server. | |
|
Tests whether the specified service account exists in the Netlogon store on the specified server. | |
|
Deletes the specified service account from the Active Directory database. |
Password Filter Functions
The following password filter functions are implemented by custom password filter DLLs to provide password filtering and password change notification.
| Function | Description |
|---|---|
|
Indicates that a password filter DLL is initialized. | |
|
Indicates that a password has been changed. | |
|
Validates a new password based on password policy. |
Safer Functions
The following Safer functions can be used to check the safer level of any executable and to log events.
| Function | Description |
|---|---|
| SaferCloseLevel |
Closes a SAFER_LEVEL_HANDLE opened by using the SaferIdentifyLevel function or the SaferCreateLevel function. |
| SaferComputeTokenFromLevel |
Restricts a token using restrictions specified by a SAFER_LEVEL_HANDLE. |
| SaferCreateLevel |
Opens a SAFER_LEVEL_HANDLE. |
| SaferGetLevelInformation |
Retrieves information about a policy level. |
| SaferGetPolicyInformation |
Retrieves information about a policy. |
| SaferIdentifyLevel |
Retrieves information about a level. |
| SaferiIsExecutableFileType |
Determines whether a specified file is an executable file. |
| SaferRecordEventLogEntry |
Sends a message to the event log. |
| SaferSetLevelInformation |
Sets the information about a policy level. |
| SaferSetPolicyInformation |
Sets the global policy controls. |