3.1.4.5.12 LsarRemoveAccountRights (Opnum 38)
The LsarRemoveAccountRights method is invoked to remove rights from an account object.
-
NTSTATUS LsarRemoveAccountRights( [in] LSAPR_HANDLE PolicyHandle, [in] PRPC_SID AccountSid, [in] unsigned char AllRights, [in] PLSAPR_USER_RIGHT_SET UserRights );
PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.
AccountSid: A security descriptor of an account object.
AllRights: If this field is not set to 0, all rights will be removed.
UserRights: A set of rights to remove from the account.
Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.
-
Return value/code
Description
0x00000000
STATUS_SUCCESS
The request was successfully completed.
0xC0000022
STATUS_ACCESS_DENIED
The caller does not have the permissions to perform this operation.
0xC000000D
STATUS_INVALID_PARAMETER
One or more of the supplied parameters was invalid.
0xC0000060
STATUS_NO_SUCH_PRIVILEGE
The rights supplied were not recognized.
0xC0000034
STATUS_OBJECT_NAME_NOT_FOUND
An account with this SID does not exist.
0xC0000008
STATUS_INVALID_HANDLE
PolicyHandle is not a valid handle.
0xC00000BB
STATUS_NOT_SUPPORTED
The operation is not supported by the server.
Processing:
This message takes four arguments:
PolicyHandle: An open handle to the policy object. If the handle is not a valid context handle to the policy object or PolicyHandle.HandleType does not equal "Policy", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that PolicyHandle grants access as specified in section 3.1.4.2.2 with RequiredAccess set to ACCOUNT_ADJUST_PRIVILEGES | ACCOUNT_ADJUST_SYSTEM_ACCESS | ACCOUNT_VIEW | DELETE.
If IsRequestorAnonymous() returns TRUE (section 3.1.4.2.3) and LsaRestrictAnonymous is set to TRUE, the call MUST fail with STATUS_OBJECT_NAME_NOT_FOUND.
AccountSid: The security identifier of the account to modify. The server MUST verify that such an account exists in its database and fail the request with STATUS_OBJECT_NAME_NOT_FOUND otherwise.
AllRights: If nonzero, all system access rights and privileges will be stripped from the account.
UserRights: A set of rights and privileges to remove from the account. If the server does not recognize any of the rights, server MUST return STATUS_NO_SUCH_PRIVILEGE.
The server MUST NOT allow removal of "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeImpersonatePrivilege", and "SeCreateGlobalPrivilege" from accounts represented with SIDs "S-1-5-19" and "S-1-5-20". The request MUST be rejected with STATUS_NOT_SUPPORTED.<74>
If the resulting set of access rights and privileges is empty, the server MUST delete the account object from its database.