internal static extern uint LsaLookupSids( SafeLsaPolicyHandle handle, int count, IntPtr[] sids, ref SafeLsaMemoryHandle referencedDomains, ref SafeLsaMemoryHandle names );
private static extern uint LsaOpenPolicy( #endif ref UNICODE_STRING SystemName, ref OBJECT_ATTRIBUTES ObjectAttributes, int AccessMask, out SafeLsaPolicyHandle PolicyHandle );
private AccountLogonRights GetSystemAccess(SafeLsaPolicyHandle hAcct) { int rights; ThrowIfLsaError(LsaGetSystemAccessAccount(hAcct, out rights)); return((AccountLogonRights)rights); }
public static extern uint LsaLookupNames2( SafeLsaPolicyHandle PolicyHandle, LsaLookupNamesFlags Flags, uint Count, [In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaUnicodeStringArrayMarshaler))] string[] Names, out SafeLsaMemoryHandle ReferencedDomains, out SafeLsaMemoryHandle Sids);
/// <summary>Initializes a new instance of the <see cref="LocalSecurityAuthority"/> class.</summary> /// <param name="server">The server. Use <c>null</c> for the local server.</param> /// <param name="access">The access rights mask for the actions to be taken.</param> public LocalSecurityAuthority(string server = null, DesiredAccess access = DesiredAccess.AllAccess) { handle = LsaOpenPolicy(server, (LsaPolicyRights)((uint)AccessTypes.STANDARD_RIGHTS_REQUIRED | (uint)access)); svr = server; CurrentUserLogonRights = new LogonRights(this); CurrentUserPrivileges = new AccountPrivileges(this); }
public static extern uint LsaRemoveAccountRights( SafeLsaPolicyHandle PolicyHandle, PSID AccountSid, [MarshalAs(UnmanagedType.Bool)] bool AllRights, [In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaUnicodeStringArrayMarshaler))] string[] UserRights, int CountOfRights);
public static extern uint LsaLookupSids2( SafeLsaPolicyHandle PolicyHandle, LsaLookupSidsFlags LookupOptions, uint Count, [In, MarshalAs(UnmanagedType.LPArray)] IntPtr[] Sids, out SafeLsaMemoryHandle ReferencedDomains, out SafeLsaMemoryHandle Names);
internal static partial uint LsaLookupNames2( SafeLsaPolicyHandle handle, int flags, int count, MARSHALLED_UNICODE_STRING[] names, out SafeLsaMemoryHandle referencedDomains, out SafeLsaMemoryHandle sids );
internal static extern uint LsaLookupNames2( SafeLsaPolicyHandle handle, int flags, int count, UNICODE_STRING[] names, ref SafeLsaMemoryHandle referencedDomains, ref SafeLsaMemoryHandle sids );
protected virtual void Dispose(bool disposing) { if (disposing && this.policyHandle != null) { // Dispose managed state this.policyHandle.Dispose(); this.policyHandle = null; } }
/// <summary>The LsaEnumerateAccountRights function enumerates the privileges assigned to an account.</summary> /// <param name="PolicyHandle"> /// A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. For more information, see Opening a Policy Object Handle. /// </param> /// <param name="AccountSid">Pointer to the SID of the account for which to enumerate privileges.</param> /// <returns>An enumeration of strings containing the names of privileges held by the account. For a list of privilege names, see Privilege Constants.</returns> public static IEnumerable <string> LsaEnumerateAccountRights(SafeLsaPolicyHandle PolicyHandle, PSID AccountSid) { var ret = LsaEnumerateAccountRights(PolicyHandle, AccountSid, out SafeLsaMemoryHandle mem, out uint cnt); var winErr = LsaNtStatusToWinError(ret); if (winErr == Win32Error.ERROR_FILE_NOT_FOUND) { return(new string[0]); } winErr.ThrowIfFailed(); return(mem.DangerousGetHandle().ToIEnum <LSA_UNICODE_STRING>((int)cnt).Select(u => (string)u.ToString().Clone())); }
/// <summary> /// The LsaEnumerateAccountsWithUserRight function returns the accounts in the database of a Local Security Authority (LSA) Policy object that hold a /// specified privilege. The accounts returned by this function hold the specified privilege directly through the user account, not as part of membership /// to a group. /// </summary> /// <param name="PolicyHandle"> /// A handle to a Policy object. The handle must have POLICY_LOOKUP_NAMES and POLICY_VIEW_LOCAL_INFORMATION user rights. For more information, see /// Opening a Policy Object Handle. /// </param> /// <param name="UserRights"> /// A string that specifies the name of a privilege. For a list of privileges, see Privilege Constants and Account Rights Constants. /// <para>If this parameter is NULL, the function enumerates all accounts in the LSA database of the system associated with the Policy object.</para> /// </param> /// <returns>An enumeration of security identifiers (SID) of accounts that holds the specified privilege.</returns> public static IEnumerable <PSID> LsaEnumerateAccountsWithUserRight(SafeLsaPolicyHandle PolicyHandle, string UserRights) { var ret = LsaEnumerateAccountsWithUserRight(PolicyHandle, UserRights, out SafeLsaMemoryHandle mem, out int cnt); if (ret == NTStatus.STATUS_NO_MORE_ENTRIES) { return(new PSID[0]); } var wret = LsaNtStatusToWinError(ret); wret.ThrowIfFailed(); return(mem.DangerousGetHandle().ToIEnum <LSA_ENUMERATION_INFORMATION>(cnt).Select(u => PSID.CreateFromPtr(u.Sid))); }
/// <summary>The LsaEnumerateAccountRights function enumerates the privileges assigned to an account.</summary> /// <param name="PolicyHandle"> /// A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. For more information, see Opening a Policy Object Handle. /// </param> /// <param name="AccountSid">Pointer to the SID of the account for which to enumerate privileges.</param> /// <returns>An enumeration of strings containing the names of privileges held by the account. For a list of privilege names, see Privilege Constants.</returns> public static IEnumerable <string> LsaEnumerateAccountRights(SafeLsaPolicyHandle PolicyHandle, PSID AccountSid) { SafeLsaMemoryHandle mem; uint cnt; var ret = LsaEnumerateAccountRights(PolicyHandle, AccountSid, out mem, out cnt); var winErr = LsaNtStatusToWinError(ret); if (winErr == Win32Error.ERROR_FILE_NOT_FOUND) { return(new string[0]); } if (winErr != 0) { throw new Win32Exception(winErr); } return(mem.DangerousGetHandle().ToIEnum <string, LSA_UNICODE_STRING>((int)cnt, u => (string)u.ToString().Clone())); }
/// <summary> /// The LsaEnumerateAccountsWithUserRight function returns the accounts in the database of a Local Security Authority (LSA) Policy object that hold a /// specified privilege. The accounts returned by this function hold the specified privilege directly through the user account, not as part of membership /// to a group. /// </summary> /// <param name="PolicyHandle"> /// A handle to a Policy object. The handle must have POLICY_LOOKUP_NAMES and POLICY_VIEW_LOCAL_INFORMATION user rights. For more information, see /// Opening a Policy Object Handle. /// </param> /// <param name="UserRights"> /// A string that specifies the name of a privilege. For a list of privileges, see Privilege Constants and Account Rights Constants. /// <para>If this parameter is NULL, the function enumerates all accounts in the LSA database of the system associated with the Policy object.</para> /// </param> /// <returns>An enumeration of security identifiers (SID) of accounts that holds the specified privilege.</returns> public static IEnumerable <PSID> LsaEnumerateAccountsWithUserRight(SafeLsaPolicyHandle PolicyHandle, string UserRights) { SafeLsaMemoryHandle mem; int cnt; var ret = LsaEnumerateAccountsWithUserRight(PolicyHandle, UserRights, out mem, out cnt); if (ret == STATUS_NO_MORE_ENTRIES) { return(new PSID[0]); } var wret = LsaNtStatusToWinError(ret); if (wret != 0) { throw new Win32Exception(wret); } return(mem.DangerousGetHandle().ToIEnum <PSID, LSA_ENUMERATION_INFORMATION>(cnt, u => PSID.Copy(u.Sid))); }
internal static unsafe uint LsaOpenPolicy( string?SystemName, ref OBJECT_ATTRIBUTES Attributes, int AccessMask, out SafeLsaPolicyHandle PolicyHandle) { UNICODE_STRING systemNameUnicode = default; if (SystemName != null) { fixed(char *c = SystemName) { systemNameUnicode.Length = checked ((ushort)(SystemName.Length * sizeof(char))); systemNameUnicode.MaximumLength = checked ((ushort)(SystemName.Length * sizeof(char))); systemNameUnicode.Buffer = (IntPtr)c; return(LsaOpenPolicy(ref systemNameUnicode, ref Attributes, AccessMask, out PolicyHandle)); } } else { return(LsaOpenPolicy(ref systemNameUnicode, ref Attributes, AccessMask, out PolicyHandle)); } }
/// <summary> /// Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources. /// </summary> public void Dispose() { handle = null; }
private static IdentityReferenceCollection TranslateToSids(IdentityReferenceCollection sourceAccounts, out bool someFailed) { if (sourceAccounts == null) { throw new ArgumentNullException(nameof(sourceAccounts)); } if (sourceAccounts.Count == 0) { throw new ArgumentException(SR.Arg_EmptyCollection, nameof(sourceAccounts)); } SafeLsaPolicyHandle LsaHandle = null; SafeLsaMemoryHandle ReferencedDomainsPtr = null; SafeLsaMemoryHandle SidsPtr = null; try { // // Construct an array of unicode strings // Interop.Advapi32.MARSHALLED_UNICODE_STRING[] Names = new Interop.Advapi32.MARSHALLED_UNICODE_STRING[sourceAccounts.Count]; int currentName = 0; foreach (IdentityReference id in sourceAccounts) { NTAccount nta = id as NTAccount; if (nta == null) { throw new ArgumentException(SR.Argument_ImproperType, nameof(sourceAccounts)); } Names[currentName].Buffer = nta.ToString(); if (Names[currentName].Buffer.Length * 2 + 2 > ushort.MaxValue) { // this should never happen since we are already validating account name length in constructor and // it is less than this limit Debug.Fail("NTAccount::TranslateToSids - source account name is too long."); throw new InvalidOperationException(); } Names[currentName].Length = (ushort)(Names[currentName].Buffer.Length * 2); Names[currentName].MaximumLength = (ushort)(Names[currentName].Length + 2); currentName++; } // // Open LSA policy (for lookup requires it) // LsaHandle = Win32.LsaOpenPolicy(null, PolicyRights.POLICY_LOOKUP_NAMES); // // Now perform the actual lookup // someFailed = false; uint ReturnCode; ReturnCode = Interop.Advapi32.LsaLookupNames2(LsaHandle, 0, sourceAccounts.Count, Names, out ReferencedDomainsPtr, out SidsPtr); // // Make a decision regarding whether it makes sense to proceed // based on the return code and the value of the forceSuccess argument // if (ReturnCode == Interop.StatusOptions.STATUS_NO_MEMORY || ReturnCode == Interop.StatusOptions.STATUS_INSUFFICIENT_RESOURCES) { throw new OutOfMemoryException(); } else if (ReturnCode == Interop.StatusOptions.STATUS_ACCESS_DENIED) { throw new UnauthorizedAccessException(); } else if (ReturnCode == Interop.StatusOptions.STATUS_NONE_MAPPED || ReturnCode == Interop.StatusOptions.STATUS_SOME_NOT_MAPPED) { someFailed = true; } else if (ReturnCode != 0) { uint win32ErrorCode = Interop.Advapi32.LsaNtStatusToWinError(ReturnCode); if (unchecked ((int)win32ErrorCode) != Interop.Errors.ERROR_TRUSTED_RELATIONSHIP_FAILURE) { Debug.Fail($"Interop.LsaLookupNames(2) returned unrecognized error {win32ErrorCode}"); } throw new Win32Exception(unchecked ((int)win32ErrorCode)); } // // Interpret the results and generate SID objects // IdentityReferenceCollection Result = new IdentityReferenceCollection(sourceAccounts.Count); if (ReturnCode == 0 || ReturnCode == Interop.StatusOptions.STATUS_SOME_NOT_MAPPED) { SidsPtr.Initialize((uint)sourceAccounts.Count, (uint)Marshal.SizeOf <Interop.LSA_TRANSLATED_SID2>()); Win32.InitializeReferencedDomainsPointer(ReferencedDomainsPtr); Interop.LSA_TRANSLATED_SID2[] translatedSids = new Interop.LSA_TRANSLATED_SID2[sourceAccounts.Count]; SidsPtr.ReadArray(0, translatedSids, 0, translatedSids.Length); for (int i = 0; i < sourceAccounts.Count; i++) { Interop.LSA_TRANSLATED_SID2 Lts = translatedSids[i]; // // Only some names are recognized as NTAccount objects // switch ((SidNameUse)Lts.Use) { case SidNameUse.User: case SidNameUse.Group: case SidNameUse.Alias: case SidNameUse.Computer: case SidNameUse.WellKnownGroup: Result.Add(new SecurityIdentifier(Lts.Sid, true)); break; default: someFailed = true; Result.Add(sourceAccounts[i]); break; } } } else { for (int i = 0; i < sourceAccounts.Count; i++) { Result.Add(sourceAccounts[i]); } } return(Result); } finally { LsaHandle?.Dispose(); ReferencedDomainsPtr?.Dispose(); SidsPtr?.Dispose(); } }
private void TranslateSids(string target, IntPtr[] pSids) { GlobalDebug.WriteLineIf(GlobalDebug.Info, "AuthZSet", "SidList: processing {0} SIDs", pSids.Length); // if there are no SIDs to translate return if (pSids.Length == 0) { return; } // Build the list of SIDs to resolve int sidCount = pSids.Length; // Translate the SIDs in bulk SafeLsaPolicyHandle policyHandle = null; SafeLsaMemoryHandle domainsHandle = null; SafeLsaMemoryHandle namesHandle = null; try { // // Get the policy handle // Interop.OBJECT_ATTRIBUTES oa = default; uint err = Interop.Advapi32.LsaOpenPolicy( target, ref oa, (int)Interop.Advapi32.PolicyRights.POLICY_LOOKUP_NAMES, out policyHandle); if (err != 0) { GlobalDebug.WriteLineIf(GlobalDebug.Warn, "AuthZSet", "SidList: couldn't get policy handle, err={0}", err); throw new PrincipalOperationException(SR.Format( SR.AuthZErrorEnumeratingGroups, Interop.Advapi32.LsaNtStatusToWinError(err))); } Debug.Assert(!policyHandle.IsInvalid); // // Translate the SIDs // err = Interop.Advapi32.LsaLookupSids( policyHandle, sidCount, pSids, out domainsHandle, out namesHandle); // Ignore error STATUS_SOME_NOT_MAPPED and STATUS_NONE_MAPPED if (err != Interop.StatusOptions.STATUS_SUCCESS && err != Interop.StatusOptions.STATUS_SOME_NOT_MAPPED && err != Interop.StatusOptions.STATUS_NONE_MAPPED) { GlobalDebug.WriteLineIf(GlobalDebug.Warn, "AuthZSet", "SidList: LsaLookupSids failed, err={0}", err); throw new PrincipalOperationException(SR.Format( SR.AuthZErrorEnumeratingGroups, Interop.Advapi32.LsaNtStatusToWinError(err))); } // // Get the group names in managed form // namesHandle.Initialize((uint)sidCount, (uint)Marshal.SizeOf <Interop.LSA_TRANSLATED_NAME>()); Interop.LSA_TRANSLATED_NAME[] names = new Interop.LSA_TRANSLATED_NAME[sidCount]; namesHandle.ReadArray(0, names, 0, names.Length); // // Get the domain names in managed form // domainsHandle.InitializeReferencedDomainsList(); Interop.LSA_REFERENCED_DOMAIN_LIST domainList = domainsHandle.Read <Interop.LSA_REFERENCED_DOMAIN_LIST>(0); // Extract LSA_REFERENCED_DOMAIN_LIST.Entries int domainCount = domainList.Entries; // Extract LSA_REFERENCED_DOMAIN_LIST.Domains, by iterating over the array and marshalling // each native LSA_TRUST_INFORMATION into a managed LSA_TRUST_INFORMATION. Interop.LSA_TRUST_INFORMATION[] domains = new Interop.LSA_TRUST_INFORMATION[domainCount]; IntPtr pCurrentDomain = domainList.Domains; for (int i = 0; i < domainCount; i++) { domains[i] = (Interop.LSA_TRUST_INFORMATION)Marshal.PtrToStructure(pCurrentDomain, typeof(Interop.LSA_TRUST_INFORMATION)); pCurrentDomain = new IntPtr(pCurrentDomain.ToInt64() + Marshal.SizeOf(typeof(Interop.LSA_TRUST_INFORMATION))); } GlobalDebug.WriteLineIf(GlobalDebug.Info, "AuthZSet", "SidList: got {0} groups in {1} domains", sidCount, domainCount); // // Build the list of entries // Debug.Assert(names.Length == sidCount); for (int i = 0; i < names.Length; i++) { Interop.LSA_TRANSLATED_NAME name = names[i]; // Build an entry. Note that LSA_UNICODE_STRING.length is in bytes, // while PtrToStringUni expects a length in characters. SidListEntry entry = new SidListEntry(); Debug.Assert(name.Name.Length % 2 == 0); entry.name = Marshal.PtrToStringUni(name.Name.Buffer, name.Name.Length / 2); // Get the domain associated with this name Debug.Assert(name.DomainIndex < domains.Length); if (name.DomainIndex >= 0) { Interop.LSA_TRUST_INFORMATION domain = domains[name.DomainIndex]; Debug.Assert(domain.Name.Length % 2 == 0); entry.sidIssuerName = Marshal.PtrToStringUni(domain.Name.Buffer, domain.Name.Length / 2); } entry.pSid = pSids[i]; _entries.Add(entry); } // Sort the list so they are oriented by the issuer name. // this.entries.Sort( new SidListComparer()); } finally { if (domainsHandle != null) { domainsHandle.Dispose(); } if (namesHandle != null) { namesHandle.Dispose(); } if (policyHandle != null) { policyHandle.Dispose(); } } }
internal static extern uint LsaOpenPolicy(string systemName, ref LSA_OBJECT_ATTRIBUTES attributes, int accessMask, out SafeLsaPolicyHandle handle);
[System.Security.SecurityCritical] // auto-generated private static IdentityReferenceCollection TranslateToSids(IdentityReferenceCollection sourceAccounts, out bool someFailed) { if (sourceAccounts == null) { throw new ArgumentNullException("sourceAccounts"); } if (sourceAccounts.Count == 0) { throw new ArgumentException(Environment.GetResourceString("Arg_EmptyCollection"), "sourceAccounts"); } Contract.EndContractBlock(); SafeLsaPolicyHandle LsaHandle = SafeLsaPolicyHandle.InvalidHandle; SafeLsaMemoryHandle ReferencedDomainsPtr = SafeLsaMemoryHandle.InvalidHandle; SafeLsaMemoryHandle SidsPtr = SafeLsaMemoryHandle.InvalidHandle; try { // // Construct an array of unicode strings // Win32Native.UNICODE_STRING[] Names = new Win32Native.UNICODE_STRING[sourceAccounts.Count]; int currentName = 0; foreach (IdentityReference id in sourceAccounts) { NTAccount nta = id as NTAccount; if (nta == null) { throw new ArgumentException(Environment.GetResourceString("Argument_ImproperType"), "sourceAccounts"); } Names[currentName].Buffer = nta.ToString(); if (Names[currentName].Buffer.Length * 2 + 2 > ushort.MaxValue) { // this should never happen since we are already validating account name length in constructor and // it is less than this limit Contract.Assert(false, "NTAccount::TranslateToSids - source account name is too long."); throw new SystemException(); } Names[currentName].Length = (ushort)(Names[currentName].Buffer.Length * 2); Names[currentName].MaximumLength = (ushort)(Names[currentName].Length + 2); currentName++; } // // Open LSA policy (for lookup requires it) // LsaHandle = Win32.LsaOpenPolicy(null, PolicyRights.POLICY_LOOKUP_NAMES); // // Now perform the actual lookup // someFailed = false; uint ReturnCode; if (Win32.LsaLookupNames2Supported) { ReturnCode = Win32Native.LsaLookupNames2(LsaHandle, 0, sourceAccounts.Count, Names, ref ReferencedDomainsPtr, ref SidsPtr); } else { ReturnCode = Win32Native.LsaLookupNames(LsaHandle, sourceAccounts.Count, Names, ref ReferencedDomainsPtr, ref SidsPtr); } // // Make a decision regarding whether it makes sense to proceed // based on the return code and the value of the forceSuccess argument // if (ReturnCode == Win32Native.STATUS_NO_MEMORY || ReturnCode == Win32Native.STATUS_INSUFFICIENT_RESOURCES) { throw new OutOfMemoryException(); } else if (ReturnCode == Win32Native.STATUS_ACCESS_DENIED) { throw new UnauthorizedAccessException(); } else if (ReturnCode == Win32Native.STATUS_NONE_MAPPED || ReturnCode == Win32Native.STATUS_SOME_NOT_MAPPED) { someFailed = true; } else if (ReturnCode != 0) { int win32ErrorCode = Win32Native.LsaNtStatusToWinError(unchecked ((int)ReturnCode)); if (win32ErrorCode != Win32Native.ERROR_TRUSTED_RELATIONSHIP_FAILURE) { Contract.Assert(false, string.Format(CultureInfo.InvariantCulture, "Win32Native.LsaLookupNames(2) returned unrecognized error {0}", win32ErrorCode)); } throw new SystemException(Win32Native.GetMessage(win32ErrorCode)); } // // Interpret the results and generate SID objects // IdentityReferenceCollection Result = new IdentityReferenceCollection(sourceAccounts.Count); if (ReturnCode == 0 || ReturnCode == Win32Native.STATUS_SOME_NOT_MAPPED) { if (Win32.LsaLookupNames2Supported) { SidsPtr.Initialize((uint)sourceAccounts.Count, (uint)Marshal.SizeOf(typeof(Win32Native.LSA_TRANSLATED_SID2))); Win32.InitializeReferencedDomainsPointer(ReferencedDomainsPtr); Win32Native.LSA_TRANSLATED_SID2[] translatedSids = new Win32Native.LSA_TRANSLATED_SID2[sourceAccounts.Count]; SidsPtr.ReadArray(0, translatedSids, 0, translatedSids.Length); for (int i = 0; i < sourceAccounts.Count; i++) { Win32Native.LSA_TRANSLATED_SID2 Lts = translatedSids[i]; // // Only some names are recognized as NTAccount objects // switch ((SidNameUse)Lts.Use) { case SidNameUse.User: case SidNameUse.Group: case SidNameUse.Alias: case SidNameUse.Computer: case SidNameUse.WellKnownGroup: Result.Add(new SecurityIdentifier(Lts.Sid, true)); break; default: someFailed = true; Result.Add(sourceAccounts[i]); break; } } } else { SidsPtr.Initialize((uint)sourceAccounts.Count, (uint)Marshal.SizeOf(typeof(Win32Native.LSA_TRANSLATED_SID))); Win32.InitializeReferencedDomainsPointer(ReferencedDomainsPtr); Win32Native.LSA_REFERENCED_DOMAIN_LIST rdl = ReferencedDomainsPtr.Read <Win32Native.LSA_REFERENCED_DOMAIN_LIST>(0); SecurityIdentifier[] ReferencedDomains = new SecurityIdentifier[rdl.Entries]; for (int i = 0; i < rdl.Entries; i++) { Win32Native.LSA_TRUST_INFORMATION ti = (Win32Native.LSA_TRUST_INFORMATION)Marshal.PtrToStructure(new IntPtr(( long )rdl.Domains + i * Marshal.SizeOf(typeof(Win32Native.LSA_TRUST_INFORMATION))), typeof(Win32Native.LSA_TRUST_INFORMATION)); ReferencedDomains[i] = new SecurityIdentifier(ti.Sid, true); } Win32Native.LSA_TRANSLATED_SID[] translatedSids = new Win32Native.LSA_TRANSLATED_SID[sourceAccounts.Count]; SidsPtr.ReadArray(0, translatedSids, 0, translatedSids.Length); for (int i = 0; i < sourceAccounts.Count; i++) { Win32Native.LSA_TRANSLATED_SID Lts = translatedSids[i]; switch ((SidNameUse)Lts.Use) { case SidNameUse.User: case SidNameUse.Group: case SidNameUse.Alias: case SidNameUse.Computer: case SidNameUse.WellKnownGroup: Result.Add(new SecurityIdentifier(ReferencedDomains[Lts.DomainIndex], Lts.Rid)); break; default: someFailed = true; Result.Add(sourceAccounts[i]); break; } } } } else { for (int i = 0; i < sourceAccounts.Count; i++) { Result.Add(sourceAccounts[i]); } } return(Result); } finally { LsaHandle.Dispose(); ReferencedDomainsPtr.Dispose(); SidsPtr.Dispose(); } }
private static IdentityReferenceCollection TranslateToNTAccounts(IdentityReferenceCollection sourceSids, out bool someFailed) { if (sourceSids == null) { throw new ArgumentNullException("sourceSids"); } if (sourceSids.Count == 0) { throw new ArgumentException(SR.Arg_EmptyCollection, "sourceSids"); } Contract.EndContractBlock(); IntPtr[] SidArrayPtr = new IntPtr[sourceSids.Count]; GCHandle[] HandleArray = new GCHandle[sourceSids.Count]; SafeLsaPolicyHandle LsaHandle = SafeLsaPolicyHandle.InvalidHandle; SafeLsaMemoryHandle ReferencedDomainsPtr = SafeLsaMemoryHandle.InvalidHandle; SafeLsaMemoryHandle NamesPtr = SafeLsaMemoryHandle.InvalidHandle; try { // // Pin all elements in the array of SIDs // int currentSid = 0; foreach (IdentityReference id in sourceSids) { SecurityIdentifier sid = id as SecurityIdentifier; if (sid == null) { throw new ArgumentException(SR.Argument_ImproperType, "sourceSids"); } HandleArray[currentSid] = GCHandle.Alloc(sid.BinaryForm, GCHandleType.Pinned); SidArrayPtr[currentSid] = HandleArray[currentSid].AddrOfPinnedObject(); currentSid++; } // // Open LSA policy (for lookup requires it) // LsaHandle = Win32.LsaOpenPolicy(null, PolicyRights.POLICY_LOOKUP_NAMES); // // Perform the actual lookup // someFailed = false; uint ReturnCode; ReturnCode = Interop.mincore.LsaLookupSids(LsaHandle, sourceSids.Count, SidArrayPtr, ref ReferencedDomainsPtr, ref NamesPtr); // // Make a decision regarding whether it makes sense to proceed // based on the return code and the value of the forceSuccess argument // if (ReturnCode == Interop.StatusOptions.STATUS_NO_MEMORY || ReturnCode == Interop.StatusOptions.STATUS_INSUFFICIENT_RESOURCES) { throw new OutOfMemoryException(); } else if (ReturnCode == Interop.StatusOptions.STATUS_ACCESS_DENIED) { throw new UnauthorizedAccessException(); } else if (ReturnCode == Interop.StatusOptions.STATUS_NONE_MAPPED || ReturnCode == Interop.StatusOptions.STATUS_SOME_NOT_MAPPED) { someFailed = true; } else if (ReturnCode != 0) { int win32ErrorCode = Interop.mincore.RtlNtStatusToDosError(unchecked ((int)ReturnCode)); Debug.Assert(false, string.Format(CultureInfo.InvariantCulture, "Interop.LsaLookupSids returned {0}", win32ErrorCode)); throw new Win32Exception(win32ErrorCode); } NamesPtr.Initialize((uint)sourceSids.Count, (uint)Marshal.SizeOf <Interop.LSA_TRANSLATED_NAME>()); Win32.InitializeReferencedDomainsPointer(ReferencedDomainsPtr); // // Interpret the results and generate NTAccount objects // IdentityReferenceCollection Result = new IdentityReferenceCollection(sourceSids.Count); if (ReturnCode == 0 || ReturnCode == Interop.StatusOptions.STATUS_SOME_NOT_MAPPED) { // // Interpret the results and generate NT Account objects // Interop.LSA_REFERENCED_DOMAIN_LIST rdl = ReferencedDomainsPtr.Read <Interop.LSA_REFERENCED_DOMAIN_LIST>(0); string[] ReferencedDomains = new string[rdl.Entries]; for (int i = 0; i < rdl.Entries; i++) { Interop.LSA_TRUST_INFORMATION ti = (Interop.LSA_TRUST_INFORMATION)Marshal.PtrToStructure <Interop.LSA_TRUST_INFORMATION>(new IntPtr((long)rdl.Domains + i * Marshal.SizeOf <Interop.LSA_TRUST_INFORMATION>())); ReferencedDomains[i] = Marshal.PtrToStringUni(ti.Name.Buffer, ti.Name.Length / sizeof(char)); } Interop.LSA_TRANSLATED_NAME[] translatedNames = new Interop.LSA_TRANSLATED_NAME[sourceSids.Count]; NamesPtr.ReadArray(0, translatedNames, 0, translatedNames.Length); for (int i = 0; i < sourceSids.Count; i++) { Interop.LSA_TRANSLATED_NAME Ltn = translatedNames[i]; switch ((SidNameUse)Ltn.Use) { case SidNameUse.User: case SidNameUse.Group: case SidNameUse.Alias: case SidNameUse.Computer: case SidNameUse.WellKnownGroup: string account = Marshal.PtrToStringUni(Ltn.Name.Buffer, Ltn.Name.Length / sizeof(char));; string domain = ReferencedDomains[Ltn.DomainIndex]; Result.Add(new NTAccount(domain, account)); break; default: someFailed = true; Result.Add(sourceSids[i]); break; } } } else { for (int i = 0; i < sourceSids.Count; i++) { Result.Add(sourceSids[i]); } } return(Result); } finally { for (int i = 0; i < sourceSids.Count; i++) { if (HandleArray[i].IsAllocated) { HandleArray[i].Free(); } } LsaHandle.Dispose(); ReferencedDomainsPtr.Dispose(); NamesPtr.Dispose(); } }
private void SetSystemAccess(SafeLsaPolicyHandle hAcct, AccountLogonRights rights) { var cur = GetSystemAccess(hAcct); ThrowIfLsaError(LsaSetSystemAccessAccount(hAcct, (int)(cur | rights))); }
private static IdentityReferenceCollection TranslateToSids(IdentityReferenceCollection sourceAccounts, out bool someFailed) { IdentityReferenceCollection references2; if (sourceAccounts == null) { throw new ArgumentNullException("sourceAccounts"); } if (sourceAccounts.Count == 0) { throw new ArgumentException(Environment.GetResourceString("Arg_EmptyCollection"), "sourceAccounts"); } SafeLsaPolicyHandle invalidHandle = SafeLsaPolicyHandle.InvalidHandle; SafeLsaMemoryHandle referencedDomains = SafeLsaMemoryHandle.InvalidHandle; SafeLsaMemoryHandle sids = SafeLsaMemoryHandle.InvalidHandle; try { uint num2; Win32Native.UNICODE_STRING[] names = new Win32Native.UNICODE_STRING[sourceAccounts.Count]; int index = 0; foreach (IdentityReference reference in sourceAccounts) { NTAccount account = reference as NTAccount; if (account == null) { throw new ArgumentException(Environment.GetResourceString("Argument_ImproperType"), "sourceAccounts"); } names[index].Buffer = account.ToString(); if (((names[index].Buffer.Length * 2) + 2) > 0xffff) { throw new SystemException(); } names[index].Length = (ushort)(names[index].Buffer.Length * 2); names[index].MaximumLength = (ushort)(names[index].Length + 2); index++; } invalidHandle = Win32.LsaOpenPolicy(null, PolicyRights.POLICY_LOOKUP_NAMES); someFailed = false; if (Win32.LsaLookupNames2Supported) { num2 = Win32Native.LsaLookupNames2(invalidHandle, 0, sourceAccounts.Count, names, ref referencedDomains, ref sids); } else { num2 = Win32Native.LsaLookupNames(invalidHandle, sourceAccounts.Count, names, ref referencedDomains, ref sids); } if ((num2 == 0xc0000017) || (num2 == 0xc000009a)) { throw new OutOfMemoryException(); } if (num2 == 0xc0000022) { throw new UnauthorizedAccessException(); } if ((num2 == 0xc0000073) || (num2 == 0x107)) { someFailed = true; } else if (num2 != 0) { int errorCode = Win32Native.LsaNtStatusToWinError((int)num2); throw new SystemException(Win32Native.GetMessage(errorCode)); } IdentityReferenceCollection references = new IdentityReferenceCollection(sourceAccounts.Count); switch (num2) { case 0: case 0x107: if (Win32.LsaLookupNames2Supported) { sids.Initialize((uint)sourceAccounts.Count, (uint)Marshal.SizeOf(typeof(Win32Native.LSA_TRANSLATED_SID2))); Win32.InitializeReferencedDomainsPointer(referencedDomains); Win32Native.LSA_TRANSLATED_SID2[] array = new Win32Native.LSA_TRANSLATED_SID2[sourceAccounts.Count]; sids.ReadArray <Win32Native.LSA_TRANSLATED_SID2>(0L, array, 0, array.Length); for (int i = 0; i < sourceAccounts.Count; i++) { Win32Native.LSA_TRANSLATED_SID2 lsa_translated_sid = array[i]; switch (lsa_translated_sid.Use) { case 1: case 2: case 4: case 5: case 9: { references.Add(new SecurityIdentifier(lsa_translated_sid.Sid, true)); continue; } } someFailed = true; references.Add(sourceAccounts[i]); } } else { sids.Initialize((uint)sourceAccounts.Count, (uint)Marshal.SizeOf(typeof(Win32Native.LSA_TRANSLATED_SID))); Win32.InitializeReferencedDomainsPointer(referencedDomains); Win32Native.LSA_REFERENCED_DOMAIN_LIST lsa_referenced_domain_list = referencedDomains.Read <Win32Native.LSA_REFERENCED_DOMAIN_LIST>(0L); SecurityIdentifier[] identifierArray = new SecurityIdentifier[lsa_referenced_domain_list.Entries]; for (int j = 0; j < lsa_referenced_domain_list.Entries; j++) { Win32Native.LSA_TRUST_INFORMATION lsa_trust_information = (Win32Native.LSA_TRUST_INFORMATION)Marshal.PtrToStructure(new IntPtr(((long)lsa_referenced_domain_list.Domains) + (j * Marshal.SizeOf(typeof(Win32Native.LSA_TRUST_INFORMATION)))), typeof(Win32Native.LSA_TRUST_INFORMATION)); identifierArray[j] = new SecurityIdentifier(lsa_trust_information.Sid, true); } Win32Native.LSA_TRANSLATED_SID[] lsa_translated_sidArray2 = new Win32Native.LSA_TRANSLATED_SID[sourceAccounts.Count]; sids.ReadArray <Win32Native.LSA_TRANSLATED_SID>(0L, lsa_translated_sidArray2, 0, lsa_translated_sidArray2.Length); for (int k = 0; k < sourceAccounts.Count; k++) { Win32Native.LSA_TRANSLATED_SID lsa_translated_sid2 = lsa_translated_sidArray2[k]; switch (lsa_translated_sid2.Use) { case 1: case 2: case 4: case 5: case 9: { references.Add(new SecurityIdentifier(identifierArray[lsa_translated_sid2.DomainIndex], lsa_translated_sid2.Rid)); continue; } } someFailed = true; references.Add(sourceAccounts[k]); } } break; default: for (int m = 0; m < sourceAccounts.Count; m++) { references.Add(sourceAccounts[m]); } break; } references2 = references; } finally { invalidHandle.Dispose(); referencedDomains.Dispose(); sids.Dispose(); } return(references2); }
public static partial uint LsaSetForestTrustInformation(SafeLsaPolicyHandle handle, in global::Interop.UNICODE_STRING target, IntPtr forestTrustInfo, int checkOnly, out IntPtr collisionInfo);
public static extern uint LsaSetSystemAccessAccount(SafeLsaPolicyHandle AccountHandle, int SystemAccess);
public static extern uint LsaOpenPolicy( [In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaUnicodeStringMarshaler))] string SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, LsaPolicyRights DesiredAccess, out SafeLsaPolicyHandle PolicyHandle);
public static extern uint LsaOpenAccount(SafeLsaPolicyHandle PolicyHandle, PSID AccountSid, LsaAccountAccessMask DesiredAccess, out SafeLsaPolicyHandle AccountHandle);
public static extern uint LsaAddAccountRights( SafeLsaPolicyHandle PolicyHandle, PSID pSID, [In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaUnicodeStringArrayMarshaler))] string[] UserRights, int CountOfRights);
public static extern uint LsaEnumerateAccountRights( SafeLsaPolicyHandle PolicyHandle, PSID AccountSid, out SafeLsaMemoryHandle UserRights, out uint CountOfRights);
public static extern uint LsaEnumerateAccountsWithUserRight( SafeLsaPolicyHandle PolicyHandle, [In, MarshalAs(UnmanagedType.CustomMarshaler, MarshalTypeRef = typeof(LsaUnicodeStringMarshaler))] string UserRights, out SafeLsaMemoryHandle EnumerationBuffer, out int CountReturned);