Share via

3.1.4.4.9 LsarOpenPolicy3 (Opnum 130)

  • Article

The LsarOpenPolicy3 method, as specified below, opens a context handle to the RPC server. This is the first function that MUST be called to contact the Local Security Authority (Domain Policy) (LSAD) Remote Protocol database.

 NTSTATUS
 LsarOpenPolicy3(
     [in,unique,string] PLSAPR_SERVER_NAME               SystemName,
     [in] PLSAPR_OBJECT_ATTRIBUTES                       ObjectAttributes,
     [in] ACCESS_MASK                                    DesiredAccess,
     [in] ULONG                                          InVersion,
     [in] [switch_is(InVersion)] LSAPR_REVISION_INFO*    InRevisionInfo,
     [out] ULONG*                                        OutVersion,
     [out] [switch_is(*OutVersion)] LSAPR_REVISION_INFO* OutRevisionInfo,
     [out] LSAPR_HANDLE*                                 PolicyHandle
     );

SystemName: This parameter has no effect on message processing in any environment. It MUST be ignored on receipt.

ObjectAttributes: This parameter has no effect on message processing in any environment. All fields MUST<67> be ignored except RootDirectory, which MUST be NULL.

DesiredAccess: An ACCESS_MASK value (section 2.2.1.1) that specifies the requested access rights that MUST be granted on the returned PolicyHandle, if the request is successful.

InVersion: Indicates which field of the InRevisionInfo union is used.

InRevisionInfo: Revision information. For details, see the definition of the LSAPR_REVISION_INFO_V1 structure (section 2.2.2.6), which is contained in the LSAPR_REVISION_INFO union (section 2.2.2.7).

OutVersion: Indicates which field of the OutRevisionInfo union is used.

OutRevisionInfo: Revision information. For details, see the definition of the LSAPR_REVISION_INFO_V1 structure (section 2.2.2.6), which is contained in the LSAPR_REVISION_INFO union (section 2.2.2.7).

PolicyHandle: An RPC context handle (section 2.2.2.1) that represents a reference to the abstract data model of a policy object, as specified in section 3.1.1.1.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing below.

Return value/code

Description

0x00000000

STATUS_SUCCESS

The request was successfully completed.

0xC0000022

STATUS_ACCESS_DENIED

The caller does not have the permissions to perform this operation.

0xC000000D

STATUS_INVALID_PARAMETER

One of the supplied parameters is incorrect. For example, this can happen when ObjectAttributes is NULL or DesiredAccess is zero.

0xC00000BB

STATUS_NOT_SUPPORTED

The operation is not supported for this object.

Server processing instructions upon receiving this message are the same as LsarOpenPolicy2 with exception of the following:

  • If InVersion is not equal to 1, the server MUST return STATUS_NOT_SUPPORTED (0xC00000BB).

  • The server MUST set OutVersion to 1 and OutRevisionInfo.Revision to 1.

  • To indicate support for AES encryption of trust authentication information (sections 2.2.7.29 and 2.2.7.30), the OutRevisionInfo.SupportedFeatures field MUST be set to 1.

  • To indicate support for name lookups with authentication other than RPC_C_AUTHN_NETLOGON security provider, the OutRevisionInfo.SupportedFeatures field MUST be set to 2.<68>

  • To indicate support for AES encryption of secrets (section 2.2.6.2), the OutRevisionInfo.SupportedFeatures field MUST be set to 4.

Note: LsarOpenPolicy3 supersedes LsarOpenPolicy2 and MUST be used whenever possible.