4.1 Manipulating Account Objects

This section illustrates a message exchange pertaining to account objects.

1. Message 1: Open the policy object.

   Direction and method	Parameter field	Parameter value
   Send LsarOpenPolicy2	SystemName	"Arbitrary String"
   Send LsarOpenPolicy2	ObjectAttributes	Ignored, except for the RootDirectory field, which is NULL.
   Send LsarOpenPolicy2	DesiredAccess	POLICY_VIEW_LOCAL_INFORMATION | POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES

2. Message 2: Success; return the policy object handle.

   Direction and method	Parameter field	Parameter value
   Receive LsarOpenPolicy2	Status	STATUS_SUCCESS
   Receive LsarOpenPolicy2	PolicyHandle	[Implementation-specific value]

3. Message 3: Attempt to create an account object with security identifier (SID) S-1-5-21-123-123-123-1005.

   Direction and method	Parameter field	Parameter value
   Send LsarCreateAccount	PolicyHandle	[Implementation-specific value returned in Step 2.]
   Send LsarCreateAccount	AccountSid	"S-1-5-21-123-123-123-1005"
   Send LsarCreateAccount	DesiredAccess	READ_CONTROL | WRITE_DAC | ACCOUNT_ADJUST_PRIVILEGES | ACCOUNT_ADJUST_SYSTEM_ACCESS | ACCOUNT_VIEW

4. Message 4: Failure: Account already exists.

   Direction and method	Parameter field	Parameter value
   Receive LsarCreateAccount	Status	STATUS_OBJECT_NAME_COLLISION
   Receive LsarCreateAccount	AccountHandle	NULL

5. Message 5: Attempt to open the account object with SID S-1-5-21-123-123-123-1005.

   Direction and method	Parameter field	Parameter value
   Send LsarOpenAccount	PolicyHandle	[Implementation-specific value]
   Send LsarOpenAccount	AccountSid	"S-1-5-21-123-123-123-1005"
   Send LsarOpenAccount	DesiredAccess	READ_CONTROL | WRITE_DAC | ACCOUNT_ADJUST_PRIVILEGES | ACCOUNT_ADJUST_SYSTEM_ACCESS | ACCOUNT_VIEW

6. Message 6: Success: Return the account object handle.

   Direction and method	Parameter field	Parameter value
   Receive LsarOpenAccount	Status	STATUS_SUCCESS
   Receive LsarOpenAccount	AccountHandle	[Implementation-specific value]

7. Message 7: Retrieve the security descriptor of the account object.

   Direction and method	Parameter field	Parameter value
   Send LsarQuerySecurityObject	ObjectHandle	[Implementation-specific value returned in Step 6.]
   Send LsarQuerySecurityObject	SecurityInformation	DACL_SECURITY_INFORMATION

8. Message 8: Success: Return the security descriptor.

   Direction and method	Parameter field	Parameter value
   Receive LsarQuerySecurityObject	Status	STATUS_SUCCESS
   Receive LsarQuerySecurityObject	SecurityDescriptor	Security descriptor of the account object in self-relative form.

9. Message 9: Update the discretionary access control list (DACL) on the account object.

   Direction and method	Parameter field	Parameter value
   Send LsarSetSecurityObject	ObjectHandle	[Implementation-specific value returned in Step 6.]
   Send LsarSetSecurityObject	SecurityInformation	DACL_SECURITY_INFORMATION
   Send LsarSetSecurityObject	SecurityDescriptor	Security descriptor representation of the DACL in self-relative form.

10. Message 10: Success: Security descriptor of the account object has been updated.

    Direction and method	Parameter field	Parameter value
    Receive LsarSetSecurityObject	Status	STATUS_SUCCESS

11. Message 11: Retrieve the Locally Unique Identifier (LUID) that the server assigns to the "SeTcbPrivilege" privilege.

    Direction and method	Parameter field	Parameter value
    Send LsarLookupPrivilegeValue	PolicyHandle	[Implementation-specific value returned in Step 2.]
    Send LsarLookupPrivilegeValue	Name	"SeTcbPrivilege"

12. Message 12: Success: Return the LUID of SeTcbPrivilege.

    Direction and method	Parameter field	Parameter value
    Receive LsarLookupPrivilegeValue	Status	STATUS_SUCCESS
    Receive LsarLookupPrivilegeValue	Value	The LUID assigned by the server to SeTcbPrivilege.

13. Message 13: Add a privilege to the account object.

    Direction and method	Parameter field	Parameter value
    Send LsarAddPrivilegesToAccount	AccountHandle	[Implementation-specific value returned in Step 6.]
    Send LsarAddPrivilegesToAccount	Privileges	A LSAPR_PRIVILEGE_SET structure containing one privilege (the LUID of which was returned in Step 12).

14. Message 14: Success: Privilege has been added to the account object.

    Direction and method	Parameter field	Parameter value
    Receive LsarAddPrivilegesToAccount	Status	STATUS_SUCCESS

15. Message 15: Add a system access right to the account object.

    Direction and method	Parameter field	Parameter value
    Send LsarSetSystemAccessAccount	AccountHandle	[Implementation-specific value returned in Step 6.]
    Send LsarSetSystemAccessAccount	SystemAccess	An unsigned long value with the POLICY_MODE_NETWORK flag set

16. Message 16: Success: Access right has been recorded.

    Direction and method	Parameter field	Parameter value
    Receive LsarSetSystemAccessAccount	Status	STATUS_SUCCESS

17. Message 17: Done with this account object: Close the handle.

    Direction and method	Parameter field	Parameter value
    Send LsarClose	ObjectHandle	[Implementation-specific value returned in Step 6.]

18. Message 18: Success: Account objects handle has been closed.

    Direction and method	Parameter field	Parameter value
    Receive LsarClose	Status	STATUS_SUCCESS

19. Message 19: Done with the policy object: Close the handle.

    Direction and method	Parameter field	Parameter value
    Send LsarClose	ObjectHandle	[Implementation-specific value returned in Step 2.]

20. Message 20: Success: Policy object has been closed.

    Direction and method	Parameter field	Parameter value
    Receive LsarClose	Status	STATUS_SUCCESS