3.1.4.5.11 LsarAddAccountRights (Opnum 37)
The LsarAddAccountRights method is invoked to add new rights to an account object. If the account object does not exist, the system will attempt to create one.
-
NTSTATUS LsarAddAccountRights( [in] LSAPR_HANDLE PolicyHandle, [in] PRPC_SID AccountSid, [in] PLSAPR_USER_RIGHT_SET UserRights );
PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.
AccountSid: A security identifier of an account to add the rights to.
UserRights: A set of right names to add to the account.
Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.
-
Return value/code
Description
0x00000000
STATUS_SUCCESS
The request was successfully completed.
0xC0000022
STATUS_ACCESS_DENIED
The caller does not have the permissions to perform this operation.
0xC000000D
STATUS_INVALID_PARAMETER
One or more of the supplied parameters was invalid.
0xC0000060
STATUS_NO_SUCH_PRIVILEGE
The rights supplied were not recognized.
0xC0000008
STATUS_INVALID_HANDLE
PolicyHandle is not a valid handle.
Processing:
This message takes three arguments:
PolicyHandle: An open handle to the policy object. If the handle is not a valid context handle to the policy object or PolicyHandle.HandleType does not equal "Policy", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that PolicyHandle grants access as specified in section 3.1.4.2.2 with:
RequiredAccess set to POLICY_CREATE_ACCOUNT if the account identified by the AccountSid parameter does not exist in the server's database, or
RequiredAccess set to ACCOUNT_ADJUST_PRIVILEGES | ACCOUNT_ADJUST_SYSTEM_ACCESS | ACCOUNT_VIEW if the account identified by the AccountSid parameter exists in the server's database
AccountSid: A security identifier of the account object. The server MUST create the account object if one does not exist.
UserRights: A set of system access rights and privileges to be added to the account. If the server does not recognize any of the rights, it MUST return STATUS_NO_SUCH_PRIVILEGE.