LsarLookupNames (Opnum 14)

The LsarLookupNames method translates a batch of security principal names to their SID form. It also returns the domains that these names are a part of.

 NTSTATUS LsarLookupNames(
   [in] LSAPR_HANDLE PolicyHandle,
   [in, range(0,1000)] unsigned long Count,
   [in, size_is(Count)] PRPC_UNICODE_STRING Names,
   [out] PLSAPR_REFERENCED_DOMAIN_LIST* ReferencedDomains,
   [in, out] PLSAPR_TRANSLATED_SIDS TranslatedSids,
   [in] LSAP_LOOKUP_LEVEL LookupLevel,
   [in, out] unsigned long* MappedCount

PolicyHandle: Context handle obtained by an LsarOpenPolicy or LsarOpenPolicy2 call.

Count: Number of names in the Names array.<33>

Names: Contains the security principal names to translate, as specified in section

ReferencedDomains: On successful return, contains the domain information for the domain to which each security principal belongs. The domain information includes a NetBIOS domain name and a domain SID for each entry in the list.

TranslatedSids: On successful return, contains the corresponding SID forms for security principal names in the Names parameter. It MUST be ignored on input.

LookupLevel: Specifies what scopes are to be used during translation, as specified in section 2.2.16.

MappedCount: On successful return, contains the number of names that are translated completely to their SID forms. This parameter has no effect on message processing in any environment. It MUST be ignored on input.

Return Values: The following table contains a summary of the return values that an implementation MUST return, as specified by the message processing shown after the table.

Return value/code




The request was successfully completed.



Some of the information to be translated has not been translated.



The caller does not have the permissions to perform this operation.



One of the supplied parameters was invalid.



None of the information to be translated has been translated.

The behavior required when receiving an LsarLookupNames message MUST be identical to that when receiving an LsarLookupNames2 message, with the following exceptions:

  • Elements in the TranslatedSids output structure do not contain a Flags field.

  • Due to the absence of the LookupOptions and ClientRevision parameters, the RPC server MUST assume that LookupOptions is 0 and ClientRevision is 1.

  • The server MUST return STATUS_ACCESS_DENIED if neither of the following conditions is true:

    1. The RPC_C_AUTHN_NETLOGON security provider (as specified in [MS-RPCE] section and at least RPC_C_AUTHN_LEVEL_PKT_INTEGRITY authentication level (as specified in [MS-RPCE] section were used in this RPC message.

    2. The PolicyHandle was granted POLICY_LOOKUP_NAMES access.