Security Management Functions
This section contains topics for the following groups of functions:
- Attachment Callback Functions
- Attachment Engine Functions
- LSA Policy Functions
- Managed Service Account Functions
- Password Filter Functions
- Safer Functions
Attachment Callback Functions
The following support functions are provided by the Security Configuration tool set and may be used by attachment engines and extension snap-ins to read and write configuration data.
| Callback function | Description |
|---|---|
| PFSCE_FREE_INFO |
Used to free memory allocated by these support functions. |
| PFSCE_LOG_INFO |
Used to log message to the configuration log file or analysis log file. |
| PFSCE_QUERY_INFO |
Used to query the configuration and analysis information for a specific service. |
| PFSCE_SET_INFO |
Used to set configuration and analysis information for a specific service. |
Attachment Engine Functions
| Function | Description |
|---|---|
| SceSvcAttachmentAnalyze |
Implemented by the attachment engine DLL. The Security Configuration Engine calls this function when the system is analyzed. |
| SceSvcAttachmentConfig |
Implemented by the attachment engine DLL. The Security Configuration Engine calls this function when the system is configured. |
| SceSvcAttachmentUpdate |
Implemented by the attachment engine DLL. The Security Configuration Engine calls this function when it receives a configuration update request from the attachment snap-in extension. |
LSA Policy Functions
The following topics provide reference information for the Local Security Authority (LSA) Policy functions.
| Topic | Description |
|---|---|
| Policy Functions |
Details functions used to open the local Policy object and to set or retrieve global policy information. |
| Account Functions |
Details functions used to manage account permissions and to create and delete user accounts. |
| Trusted Domain Functions |
Details functions used to create and delete trusted domain relationships and to set and retrieve information about those trusted domains. |
| Private Data Functions |
Do not use the LSA private data functions. Instead, use the CryptProtectData and CryptUnprotectData functions. |
| Miscellaneous Functions |
Details functions not described elsewhere. |
Policy Functions
The following functions enumerate user accounts and trusted domains, receive policy change notifications, and lookup account names and SIDs.
| Function | Description |
|---|---|
| LsaEnumerateAccountsWithUserRight |
Enumerates all the accounts that have a specified user permission. |
| LsaEnumerateTrustedDomainsEx |
Enumerates the trusted domains. |
| LsaLookupNames |
Maps the specified names to their SIDs. Returns the SID as an RID/Domain SID pair. |
| LsaLookupNames2 |
Maps the specified names to their SIDs. Returns the SID as a single element. |
| LsaLookupPrivilegeValue |
Retrieves the locally unique identifier (LUID) used by the Local Security Authority (LSA) to represent the specified privilege name. |
| LsaLookupSids |
Maps the specified account names to their SIDs. |
| LsaRegisterPolicyChangeNotification |
Registers an event object to receive notifications when the local policy information changes. |
| LsaUnregisterPolicyChangeNotification |
Unregisters an event object that is receiving policy change notifications. |
Account Functions
The following functions add, enumerate, and delete permissions for an account.
| Function | Description |
|---|---|
| LsaAddAccountRights |
Add permissions to an account. If the account does not already exist, it is created. |
| LsaEnumerateAccountRights |
Enumerate the permissions granted to an account. |
| LsaRemoveAccountRights |
Remove permissions from an account. When all the permissions are removed, the account is deleted. |
Trusted Domain Functions
The following functions create, enumerate, and delete trusted domains and set and retrieve trusted domain information.
| Function | Description |
|---|---|
| LsaCreateTrustedDomainEx |
Creates a new TrustedDomain object. |
| LsaDeleteTrustedDomain |
Removes a TrustedDomain object. |
| LsaEnumerateTrustedDomains LsaEnumerateTrustedDomainsEx |
Enumerates the domains currently trusted by the local system. |
| LsaOpenTrustedDomainByName |
Opens a handle to a TrustedDomain object. |
| LsaQueryTrustedDomainInfo |
Retrieves information about a trusted domain. The domain is specified by SID. |
| LsaQueryTrustedDomainInfoByName |
Retrieves information about a trusted domain. The domain is specified by name. |
| LsaSetTrustedDomainInfoByName |
Sets information for a trusted domain. The domain is specified by name. |
| LsaSetTrustedDomainInformation |
Sets information for a trusted domain. The domain is specified by SID. |
Private Data Functions
Do not use the LSA private data functions. Instead, use the CryptProtectData and CryptUnprotectData functions.
| Function | Description |
|---|---|
| LsaRetrievePrivateData |
Retrieves and decrypts a string. |
| LsaStorePrivateData |
Encrypts and stores a string. |
Miscellaneous Functions
The LSA Policy API has the following three functions that do not fit into any of the other LSA Policy function categories.
| Function | Description |
|---|---|
| LsaClose |
Closes a handle to a Policy object or a TrustedDomain object. |
| LsaFreeMemory |
Frees a buffer allocated by an LSA function. |
| LsaNtStatusToWinError |
Converts an NTSTATUS value to a Windows error code. |
Managed Service Account Functions
The following functions are used to create, enumerate, find, and delete managed service accounts.
| Function | Description |
|---|---|
| NetAddServiceAccount |
Creates a managed service account. |
| NetEnumerateServiceAccounts |
Enumerates the server accounts on the specified server. |
| NetIsServiceAccount |
Tests whether the specified service account exists in the Netlogon store on the specified server. |
| NetRemoveServiceAccount |
Deletes the specified service account from the Active Directory database. |
Password Filter Functions
The following password filter functions are implemented by custom password filter DLLs to provide password filtering and password change notification.
| Function | Description |
|---|---|
| InitializeChangeNotify |
Indicates that a password filter DLL is initialized. |
| PasswordChangeNotify |
Indicates that a password has been changed. |
| PasswordFilter |
Validates a new password based on password policy. |
Safer Functions
The following Safer functions can be used to check the safer level of any executable and to log events.
| Function | Description |
|---|---|
| SaferCloseLevel | Closes a SAFER_LEVEL_HANDLE opened by using the SaferIdentifyLevel function or the SaferCreateLevel function. |
| SaferComputeTokenFromLevel | Restricts a token using restrictions specified by a SAFER_LEVEL_HANDLE. |
| SaferCreateLevel | Opens a SAFER_LEVEL_HANDLE. |
| SaferGetLevelInformation | Retrieves information about a policy level. |
| SaferGetPolicyInformation | Retrieves information about a policy. |
| SaferIdentifyLevel | Retrieves information about a level. |
| SaferiIsExecutableFileType | Determines whether a specified file is an executable file. |
| SaferRecordEventLogEntry | Sends a message to the event log. |
| SaferSetLevelInformation | Sets the information about a policy level. |
| SaferSetPolicyInformation | Sets the global policy controls. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for