3.1.4.5.12 LsarRemoveAccountRights (Opnum 38)

The LsarRemoveAccountRights method is invoked to remove rights from an account object.

 NTSTATUS LsarRemoveAccountRights(
   [in] LSAPR_HANDLE PolicyHandle,
   [in] PRPC_SID AccountSid,
   [in] unsigned char AllRights,
   [in] PLSAPR_USER_RIGHT_SET UserRights
 );

PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.

AccountSid: A security descriptor of an account object.

AllRights: If this field is not set to 0, all rights will be removed.

UserRights: A set of rights to remove from the account.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.

Return value/code

Description

0x00000000

STATUS_SUCCESS

The request was successfully completed.

0xC0000022

STATUS_ACCESS_DENIED

The caller does not have the permissions to perform this operation.

0xC000000D

STATUS_INVALID_PARAMETER

One or more of the supplied parameters was invalid.

0xC0000060

STATUS_NO_SUCH_PRIVILEGE

The rights supplied were not recognized.

0xC0000034

STATUS_OBJECT_NAME_NOT_FOUND

An account with this SID does not exist.

0xC0000008

STATUS_INVALID_HANDLE

PolicyHandle is not a valid handle.

0xC00000BB

STATUS_NOT_SUPPORTED

The operation is not supported by the server.

Processing:

This message takes four arguments:

PolicyHandle: An open handle to the policy object. If the handle is not a valid context handle to the policy object or PolicyHandle.HandleType does not equal "Policy", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that PolicyHandle grants access as specified in section 3.1.4.2.2 with RequiredAccess set to ACCOUNT_ADJUST_PRIVILEGES | ACCOUNT_ADJUST_SYSTEM_ACCESS | ACCOUNT_VIEW | DELETE.

If IsRequestorAnonymous() returns TRUE (section 3.1.4.2.3) and LsaRestrictAnonymous is set to TRUE, the call MUST fail with STATUS_OBJECT_NAME_NOT_FOUND.

AccountSid: The security identifier of the account to modify. The server MUST verify that such an account exists in its database and fail the request with STATUS_OBJECT_NAME_NOT_FOUND otherwise.

AllRights: If nonzero, all system access rights and privileges will be stripped from the account.

UserRights: A set of rights and privileges to remove from the account. If the server does not recognize any of the rights, server MUST return STATUS_NO_SUCH_PRIVILEGE.

The server MUST NOT allow removal of "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeImpersonatePrivilege", and "SeCreateGlobalPrivilege" from accounts represented with SIDs "S-1-5-19" and "S-1-5-20". The request MUST be rejected with STATUS_NOT_SUPPORTED.<74>

If the resulting set of access rights and privileges is empty, the server MUST delete the account object from its database.