Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The LsarRemoveAccountRights method is invoked to remove rights from an account object.
-
NTSTATUS LsarRemoveAccountRights( [in] LSAPR_HANDLE PolicyHandle, [in] PRPC_SID AccountSid, [in] unsigned char AllRights, [in] PLSAPR_USER_RIGHT_SET UserRights );
PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.
AccountSid: A security descriptor of an account object.
AllRights: If this field is not set to 0, all rights will be removed.
UserRights: A set of rights to remove from the account.
Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.
-
Return value/code
Description
0x00000000
STATUS_SUCCESS
The request was successfully completed.
0xC0000022
STATUS_ACCESS_DENIED
The caller does not have the permissions to perform this operation.
0xC000000D
STATUS_INVALID_PARAMETER
One or more of the supplied parameters was invalid.
0xC0000060
STATUS_NO_SUCH_PRIVILEGE
The rights supplied were not recognized.
0xC0000034
STATUS_OBJECT_NAME_NOT_FOUND
An account with this SID does not exist.
0xC0000008
STATUS_INVALID_HANDLE
PolicyHandle is not a valid handle.
0xC00000BB
STATUS_NOT_SUPPORTED
The operation is not supported by the server.
Processing:
This message takes four arguments:
PolicyHandle: An open handle to the policy object. If the handle is not a valid context handle to the policy object or PolicyHandle.HandleType does not equal "Policy", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that PolicyHandle grants access as specified in section 3.1.4.2.2 with RequiredAccess set to ACCOUNT_ADJUST_PRIVILEGES | ACCOUNT_ADJUST_SYSTEM_ACCESS | ACCOUNT_VIEW | DELETE.
If IsRequestorAnonymous() returns TRUE (section 3.1.4.2.3) and LsaRestrictAnonymous is set to TRUE, the call MUST fail with STATUS_OBJECT_NAME_NOT_FOUND.
AccountSid: The security identifier of the account to modify. The server MUST verify that such an account exists in its database and fail the request with STATUS_OBJECT_NAME_NOT_FOUND otherwise.
AllRights: If nonzero, all system access rights and privileges will be stripped from the account.
UserRights: A set of rights and privileges to remove from the account. If the server does not recognize any of the rights, server MUST return STATUS_NO_SUCH_PRIVILEGE.
The server MUST NOT allow removal of "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeImpersonatePrivilege", and "SeCreateGlobalPrivilege" from accounts represented with SIDs "S-1-5-19" and "S-1-5-20". The request MUST be rejected with STATUS_NOT_SUPPORTED.<74>
If the resulting set of access rights and privileges is empty, the server MUST delete the account object from its database.