3.1.4.4.8 LsarSetDomainInformationPolicy (Opnum 54)

  • Article

The LsarSetDomainInformationPolicy method is invoked to change policy settings in addition to those exposed through LsarQueryInformationPolicy and LsarSetInformationPolicy2. Despite the term "Domain" in the name of the method, processing of this message occurs with local data. Also, there is no requirement that this data have any relationship with the LSA information in the domain in which the machine is joined.

 NTSTATUS LsarSetDomainInformationPolicy(
   [in] LSAPR_HANDLE PolicyHandle,
   [in] POLICY_DOMAIN_INFORMATION_CLASS InformationClass,
   [in, unique, switch_is(InformationClass)] 
     PLSAPR_POLICY_DOMAIN_INFORMATION PolicyDomainInformation
 );

PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.

InformationClass: A parameter that specifies what type of information the caller is setting.

PolicyDomainInformation: Data representing policy being set.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the following message processing.

Return value/code

Description

0x00000000

STATUS_SUCCESS

The request was successfully completed.

0xC0000022

STATUS_ACCESS_DENIED

The caller does not have the permissions to perform this operation.

0xC000000D

STATUS_INVALID_PARAMETER

One of the supplied arguments was invalid.

0xC0000008

STATUS_INVALID_HANDLE

PolicyHandle is not a valid handle.

Processing:

If the InformationClass parameter is PolicyDomainEfsInformation, and the responder implementation does not support Encrypting File System (EFS) Policy Information as specified in section 3.1.1.1, the request MUST fail with STATUS_INVALID_PARAMETER.

If the InformationClass parameter is PolicyDomainQualityOfServiceInformation, and the responder implementation does not support Quality Of Service Information as specified in section 3.1.1.1, the request MUST fail with an RPC exception RPC_S_INVALID_TAG.

If PolicyHandle is not a valid context handle or PolicyHandle.HandleType does not equal "Policy", the server MUST return STATUS_INVALID_HANDLE.

The server MUST verify that PolicyHandle grants access as specified in section 3.1.4.2.2. The following table specifies the RequiredAccess value to use in this access check for each InformationClass value.

InformationClass value

RequiredAccess value

PolicyDomainQualityOfServiceInformation

POLICY_SERVER_ADMIN

PolicyDomainEfsInformation

POLICY_SERVER_ADMIN

PolicyDomainKerberosTicketInformation

POLICY_SERVER_ADMIN

The InformationClass parameter can take on any value in the POLICY_DOMAIN_INFORMATION_CLASS enumeration range. For all values outside this range, the server MUST return the STATUS_INVALID_PARAMETER error code.

The PolicyDomainInformation parameter contains the data that the caller needs to set, based on the value of the InformationClass parameter. The server MUST update its abstract data model, specified in section 3.1.1.1, as follows.

Value of InformationClass parameter

Information returned to caller from abstract data model

PolicyDomainQualityOfServiceInformation

Quality Of Service Information

PolicyDomainEfsInformation

EFS Policy Information

PolicyDomainKerberosTicketInformation

Kerberos Policy Information

If the abstract data model update succeeds and the InformationClass parameter is PolicyDomainKerberosTicketInformation, the server MUST invoke the KDC ConfigurationChange event (see [MS-KILE] section 3.3.4.1) and MUST ignore any errors that are returned.