3.1.4.7.13 LsarQueryInfoTrustedDomain (Opnum 26)
The LsarQueryInfoTrustedDomain method is invoked to retrieve information about the trusted domain object.
-
NTSTATUS LsarQueryInfoTrustedDomain( [in] LSAPR_HANDLE TrustedDomainHandle, [in] TRUSTED_INFORMATION_CLASS InformationClass, [out, switch_is(InformationClass)] PLSAPR_TRUSTED_DOMAIN_INFO* TrustedDomainInformation );
TrustedDomainHandle: An open trusted domain object handle.
InformationClass: One of the TRUSTED_INFORMATION_CLASS values indicating the type of information the caller is interested in.
TrustedDomainInformation: Used to return requested information about the trusted domain object.
Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.
-
Return value/code
Description
0x00000000
STATUS_SUCCESS
The request was successfully completed.
0xC0000022
STATUS_ACCESS_DENIED
The caller does not have the permissions to perform this operation.
0xC000000D
STATUS_INVALID_PARAMETER
One of the arguments supplied to the function was invalid.
0xC0000003
STATUS_INVALID_INFO_CLASS
The InformationClass argument is outside the allowed range.
0xC0000008
STATUS_INVALID_HANDLE
TrustedDomainHandle is not a valid handle.
Processing:
This message takes three arguments:
TrustedDomainHandle: An open handle to a trusted domain object. If the handle is not a valid context handle to a trusted domain object or TrustedDomainHandle.HandleType does not equal "Trusted Domain", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that TrustedDomainHandle grants access as specified in section 3.1.4.2.2. The following table specifies the RequiredAccess value to use in this access check for each InformationClass value, or indicates if no processing is supported, regardless of access granted. There are several methods in the Local Security Authority (Domain Policy) Remote Protocol that query trusted domain information. All of them enforce the same rights assignments based on information class as described in the following table.
|
Value of InformationClass parameter |
RequiredAccess value |
|---|---|
|
TrustedDomainNameInformation TrustedDomainInformationBasic TrustedDomainInformationEx TrustedDomainInformationEx2Internal |
TRUSTED_QUERY_DOMAIN_NAME |
|
TrustedControllersInformation |
Does not apply: This information class is obsolete and cannot be set or queried. The server MUST return STATUS_INVALID_PARAMETER. |
|
TrustedPosixOffsetInformation TrustedDomainSupportedEncryptionTypes |
TRUSTED_QUERY_POSIX |
|
TrustedPasswordInformation TrustedDomainAuthInformation TrustedDomainAuthInformationInternal |
TRUSTED_QUERY_AUTH |
|
TrustedDomainFullInformation TrustedDomainFullInformationInternal TrustedDomainFullInformation2Internal |
TRUSTED_QUERY_DOMAIN_NAME | TRUSTED_QUERY_POSIX | TRUSTED_QUERY_AUTH |
InformationClass: A value from the TRUSTED_INFORMATION_CLASS enumeration specifying what type of information the caller is requesting. Not all values are valid. For values outside the TRUSTED_INFORMATION_CLASS range, the server MUST reject the request with STATUS_INVALID_PARAMETER. Information class values TrustedDomainAuthInformationInternal and TrustedDomainFullInformationInternal MUST be rejected with STATUS_INVALID_INFO_CLASS.
TrustedDomainInformation: Used to return the data requested by the caller, in a structure form corresponding to the InformationClass parameter. Information MUST be collected from the abstract data model specified in section 3.1.1.5.
|
Value of InformationClass parameter |
Information to return |
|---|---|
|
TrustedDomainNameInformation |
Flat Name |
|
TrustedPosixOffsetInformation |
Posix Offset |
|
TrustedDomainInformationEx |
Name Flat Name Security Identifier Posix Offset Trust Type Trust Direction Trust Attributes |
|
TrustedDomainAuthInformation TrustedDomainAuthInformationInternal TrustedDomainFullInformationInternal |
Not applicable: This information class cannot be queried. Server MUST return STATUS_INVALID_INFO_CLASS. |
|
TrustedDomainFullInformation |
Name Flat Name Security Identifier Posix Offset Trust Type Trust Direction Trust Attributes Trust Incoming and Outgoing Password values MUST be set to 0. |
|
TrustedDomainFullInformation2Internall |
Name Flat Name Security Identifier Posix Offset Trust Type Trust Direction Trust Attributes Forest Trust Attributes, as stored in Active Directory under the msDs-TrustForestTrustInfo attribute ([MS-ADTS] section 6.1.6.9.3). Trust Incoming and Outgoing Password values MUST be set to 0. |
|
TrustedDomainSupportedEncryptionTypes |
Supported Encryption Types |
|
Other values |
Server MUST return STATUS_INVALID_PARAMETER. |
If the server is not at DS_BEHAVIOR_WIN2003 forest functional level, the presence of the TRUST_ATTRIBUTE_FOREST_TRANSITIVE bit in the Trust Attributes field of a trusted domain object MUST NOT be returned by the server.<106>