3.1.4.4.3 LsarQueryInformationPolicy2 (Opnum 46)

The LsarQueryInformationPolicy2 method is invoked to query values that represent the server's security policy.

 NTSTATUS LsarQueryInformationPolicy2(
   [in] LSAPR_HANDLE PolicyHandle,
   [in] POLICY_INFORMATION_CLASS InformationClass,
   [out, switch_is(InformationClass)] 
     PLSAPR_POLICY_INFORMATION* PolicyInformation
 );

PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.

InformationClass: A parameter that specifies what type of information the caller is requesting.

PolicyInformation: A parameter that references policy information structure on return.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing below.

Return value/code

Description

0x00000000

STATUS_SUCCESS

The request was successfully completed.

0xC000009A

STATUS_INSUFFICIENT_RESOURCES

There are insufficient resources to complete the request.

0xC0000022

STATUS_ACCESS_DENIED

The caller does not have the permissions to perform the operation.

0xC000000D

STATUS_INVALID_PARAMETER

One of the parameters is incorrect. For instance, this can happen if InformationClass is out of range or if PolicyInformation is NULL.

0xC0000008

STATUS_INVALID_HANDLE

PolicyHandle is not a valid handle.

Processing:

PolicyHandle MUST be a handle to an open policy object, and PolicyHandle.HandleType MUST equal "Policy"; otherwise, STATUS_INVALID_HANDLE MUST be returned.

The server MUST verify that PolicyHandle grants access as specified in section 3.1.4.2.2. The following table specifies the RequiredAccess value to use in this access check for each InformationClass value or indicates if no processing is supported, regardless of access granted.

InformationClass value

RequiredAccess value

PolicyAuditLogInformation

POLICY_VIEW_AUDIT_INFORMATION

PolicyAuditEventsInformation

POLICY_VIEW_AUDIT_INFORMATION

PolicyPrimaryDomainInformation

POLICY_VIEW_LOCAL_INFORMATION

PolicyPdAccountInformation

POLICY_GET_PRIVATE_INFORMATION

PolicyAccountDomainInformation

POLICY_VIEW_LOCAL_INFORMATION

PolicyLsaServerRoleInformation

POLICY_VIEW_LOCAL_INFORMATION

PolicyReplicaSourceInformation

POLICY_VIEW_LOCAL_INFORMATION

PolicyModificationInformation

Not applicable: This information class cannot be queried. The request MUST fail with STATUS_INVALID_PARAMETER.

PolicyAuditFullSetInformation

Not applicable: This information class cannot be queried. The request MUST fail with STATUS_INVALID_PARAMETER.

PolicyAuditFullQueryInformation

POLICY_VIEW_AUDIT_INFORMATION

PolicyDnsDomainInformation

POLICY_VIEW_LOCAL_INFORMATION

PolicyDnsDomainInformationInt

POLICY_VIEW_LOCAL_INFORMATION

PolicyLocalAccountDomainInformation

POLICY_VIEW_LOCAL_INFORMATION

PolicyMachineAccountInformation

POLICY_VIEW_LOCAL_INFORMATION

The InformationClass parameter can take on any value in the POLICY_INFORMATION_CLASS enumeration range. For all values outside this range, the server MUST return a STATUS_INVALID_PARAMETER error code.

PolicyInformation is an output parameter. The server MUST fill it in with the information requested by the client, based on the value of the InformationClass parameter and the abstract data model specified in section 3.1.1.1, as follows.

Value of InformationClass parameter

Information returned to caller from abstract data model

PolicyAuditLogInformation

Auditing Log Information

PolicyAuditEventsInformation

Event Auditing Options

PolicyPrimaryDomainInformation

Primary Domain Information

PolicyPdAccountInformation

MUST return an LSAPR_POLICY_PD_ACCOUNT_INFO information structure, its Name member being an RPC_UNICODE_STRING with Length set to 0 and Buffer initialized to NULL.

PolicyAccountDomainInformation

On non–domain controllers: Account Domain

On domain controller: Primary Domain Information

PolicyLsaServerRoleInformation

Server Role Information

PolicyReplicaSourceInformation

Replica Source Information

PolicyModificationInformation

MUST return STATUS_INVALID_PARAMETER

PolicyAuditFullSetInformation

MUST return STATUS_INVALID_PARAMETER

PolicyAuditFullQueryInformation

Audit Full Information<63>

PolicyDnsDomainInformation

DNS Domain Information<64>

PolicyDnsDomainInformationInt

DNS Domain Information

PolicyLocalAccountDomainInformation

Account Domain Information

PolicyMachineAccountInformation

Machine Account Information