3.1.4.4.3 LsarQueryInformationPolicy2 (Opnum 46)
The LsarQueryInformationPolicy2 method is invoked to query values that represent the server's security policy.
-
NTSTATUS LsarQueryInformationPolicy2( [in] LSAPR_HANDLE PolicyHandle, [in] POLICY_INFORMATION_CLASS InformationClass, [out, switch_is(InformationClass)] PLSAPR_POLICY_INFORMATION* PolicyInformation );
PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.
InformationClass: A parameter that specifies what type of information the caller is requesting.
PolicyInformation: A parameter that references policy information structure on return.
Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing below.
-
Return value/code
Description
0x00000000
STATUS_SUCCESS
The request was successfully completed.
0xC000009A
STATUS_INSUFFICIENT_RESOURCES
There are insufficient resources to complete the request.
0xC0000022
STATUS_ACCESS_DENIED
The caller does not have the permissions to perform the operation.
0xC000000D
STATUS_INVALID_PARAMETER
One of the parameters is incorrect. For instance, this can happen if InformationClass is out of range or if PolicyInformation is NULL.
0xC0000008
STATUS_INVALID_HANDLE
PolicyHandle is not a valid handle.
Processing:
PolicyHandle MUST be a handle to an open policy object, and PolicyHandle.HandleType MUST equal "Policy"; otherwise, STATUS_INVALID_HANDLE MUST be returned.
The server MUST verify that PolicyHandle grants access as specified in section 3.1.4.2.2. The following table specifies the RequiredAccess value to use in this access check for each InformationClass value or indicates if no processing is supported, regardless of access granted.
|
InformationClass value |
RequiredAccess value |
|---|---|
|
PolicyAuditLogInformation |
POLICY_VIEW_AUDIT_INFORMATION |
|
PolicyAuditEventsInformation |
POLICY_VIEW_AUDIT_INFORMATION |
|
PolicyPrimaryDomainInformation |
POLICY_VIEW_LOCAL_INFORMATION |
|
PolicyPdAccountInformation |
POLICY_GET_PRIVATE_INFORMATION |
|
PolicyAccountDomainInformation |
POLICY_VIEW_LOCAL_INFORMATION |
|
PolicyLsaServerRoleInformation |
POLICY_VIEW_LOCAL_INFORMATION |
|
PolicyReplicaSourceInformation |
POLICY_VIEW_LOCAL_INFORMATION |
|
PolicyModificationInformation |
Not applicable: This information class cannot be queried. The request MUST fail with STATUS_INVALID_PARAMETER. |
|
PolicyAuditFullSetInformation |
Not applicable: This information class cannot be queried. The request MUST fail with STATUS_INVALID_PARAMETER. |
|
PolicyAuditFullQueryInformation |
POLICY_VIEW_AUDIT_INFORMATION |
|
PolicyDnsDomainInformation |
POLICY_VIEW_LOCAL_INFORMATION |
|
PolicyDnsDomainInformationInt |
POLICY_VIEW_LOCAL_INFORMATION |
|
PolicyLocalAccountDomainInformation |
POLICY_VIEW_LOCAL_INFORMATION |
|
PolicyMachineAccountInformation |
POLICY_VIEW_LOCAL_INFORMATION |
The InformationClass parameter can take on any value in the POLICY_INFORMATION_CLASS enumeration range. For all values outside this range, the server MUST return a STATUS_INVALID_PARAMETER error code.
PolicyInformation is an output parameter. The server MUST fill it in with the information requested by the client, based on the value of the InformationClass parameter and the abstract data model specified in section 3.1.1.1, as follows.
|
Value of InformationClass parameter |
Information returned to caller from abstract data model |
|---|---|
|
PolicyAuditLogInformation |
Auditing Log Information |
|
PolicyAuditEventsInformation |
Event Auditing Options |
|
PolicyPrimaryDomainInformation |
Primary Domain Information |
|
PolicyPdAccountInformation |
MUST return an LSAPR_POLICY_PD_ACCOUNT_INFO information structure, its Name member being an RPC_UNICODE_STRING with Length set to 0 and Buffer initialized to NULL. |
|
PolicyAccountDomainInformation |
On non–domain controllers: Account Domain On domain controller: Primary Domain Information |
|
PolicyLsaServerRoleInformation |
Server Role Information |
|
PolicyReplicaSourceInformation |
Replica Source Information |
|
PolicyModificationInformation |
MUST return STATUS_INVALID_PARAMETER |
|
PolicyAuditFullSetInformation |
MUST return STATUS_INVALID_PARAMETER |
|
PolicyAuditFullQueryInformation |
Audit Full Information<63> |
|
PolicyDnsDomainInformation |
DNS Domain Information<64> |
|
PolicyDnsDomainInformationInt |
DNS Domain Information |
|
PolicyLocalAccountDomainInformation |
Account Domain Information |
|
PolicyMachineAccountInformation |
Machine Account Information |