/// <summary> /// The LookupPrivilegeValue method is invoked to map the name of a privilege /// into a locally unique identifier (luid) by which it is known on the server. /// The locally unique value of the privilege can then be used in subsequent calls /// to other methods, such as LsarAddPrivilegesToAccount. /// </summary> /// <param name="handleInput">Contains policy handle obtained from OpenPolicy/OpenPolicy2 </param> /// <param name="name">It is for validating the privilege name passed in </param> /// <param name="privilegeName">Contains privilege name </param> /// <param name="luid">Out param contains valid or invalid /// luid of the passed in privilege name </param> /// <returns>Returns Success if the method is successful /// Returns AccessDenied if the caller does not have the permissions to /// perform this operation /// Returns InvalidHandle if the passed in is a valid object handle /// Returns InvalidParameter if one or more of the supplied parameters was invalid /// Returns NoSuchPrivilege if the privilege name is not recognized by the server</returns> public ErrorStatus LookupPrivilegeValue( int handleInput, ValidString name, string privilegeName, out PrivilegeLUID luid) { _RPC_UNICODE_STRING inputPrivilegeName = new _RPC_UNICODE_STRING(); Hashtable htPrivilegeNameNLUID = new Hashtable(); _LUID?outputPrivilegeLUID = new _LUID(); utilities.privilegeInformation(ref htPrivilegeNameNLUID); if (name == ValidString.Invalid) { utilities.nameOfPrivilege(PrivilegeType.InValid, ref inputPrivilegeName); inputPrivilegeName.Length = (ushort)((2 * inputPrivilegeName.Buffer.Length) + 1); inputPrivilegeName.MaximumLength = (ushort)(inputPrivilegeName.Length + 2); } else if (stPolicyInformation.PHandle != handleInput) { utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName); utilities.inValidHandle(); } else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES) { utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName); } else if (!htPrivilegeNameNLUID.ContainsValue(privilegeName)) { utilities.nameOfPrivilege(PrivilegeType.NoSuchPrivilege, ref inputPrivilegeName); } else { utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName); } uintMethodStatus = lsadClientStack.LsarLookupPrivilegeValue( PolicyHandle.Value, inputPrivilegeName, out outputPrivilegeLUID); luid = (outputPrivilegeLUID.Value.HighPart == 0 & outputPrivilegeLUID.Value.LowPart == 0) ? PrivilegeLUID.Invalid : PrivilegeLUID.Valid; if (name == ValidString.Invalid) { #region MS-LSAD_R807 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidParameter, (uint)uintMethodStatus, "MS-LSAD", 807, @"In LsarLookupPrivilegeValue method server MUST return STATUS_INVALID_PARAMETER if One or more of the supplied parameters was invalid."); #endregion } else if (stPolicyInformation.PHandle != handleInput) { #region MS-LSAD_R804 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidHandle, (uint)uintMethodStatus, "MS-LSAD", 804, @"In LsarLookupPrivilegeValue method,If PolicyHandle is not a valid context handle to the policy object, the server MUST return STATUS_INVALID_HANDLE."); #endregion lsadClientStack.LsarDeleteObject(ref PolicyHandle); PolicyHandle = utilities.tempPolicyHandle; } else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES) { #region MS-LSAD_R805 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.AccessDenied, (uint)uintMethodStatus, "MS-LSAD", 805, @"In PolicyHandle parameter of LsarLookupPrivilegeValue method, server MUST verify that the caller has POLICY_LOOKUP_NAMES access and return STATUS_ACCESS_DENIED otherwise"); #endregion } else if (!htPrivilegeNameNLUID.ContainsValue(privilegeName)) { #region MS-LSAD_R806 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.NoSuchPrivilege, (uint)uintMethodStatus, "MS-LSAD", 806, @"In LsarLookupPrivilegeValue method , If the value in the Name argument is not recognized by the server, the server MUST fail the request with STATUS_NO_SUCH_PRIVILEGE"); #endregion } else { htPrivilegeNameNLUID.Clear(); #region MS-LSAD_R808 if ((uint)ErrorStatus.Success == (uint)uintMethodStatus) { Site.CaptureRequirement( "MS-LSAD", 808, @"In LsarLookupPrivilegeValue method server MUST return STATUS_SUCCESS if request is successfully completed."); } #endregion } return((ErrorStatus)uintMethodStatus); }
/// <summary> /// The LookupPrivilegeName method is invoked to map the luid of a privilege /// into a string name by which it is known on the server. /// </summary> /// <param name="handleInput">Contains policy handle obtained from OpenPolicy/OpenPolicy2 </param> /// <param name="luid">It is for validating the privilege luid passed in </param> /// <param name="privilegeLuid">Contains privilege luid </param> /// <param name="privilegeName">Out param contains valid or invalid /// privilegeName of the passed in privilege luid </param> /// <returns>Returns Success if the method is successful /// Returns AccessDenied if the caller does not have the permissions to /// perform this operation /// Returns InvalidHandle if the passed in is a valid object handle /// Returns InvalidParameter if one or more of the supplied parameters was invalid /// Returns NoSuchPrivilege if the privilege luid is not recognized by the server</returns> public ErrorStatus LookupPrivilegeName( int handleInput, PrivilegeLUID luid, string privilegeLuid, out ValidString privilegeName) { _RPC_UNICODE_STRING?outputPrivilegeName = new _RPC_UNICODE_STRING(); _RPC_UNICODE_STRING outputComparePrivilegeName = new _RPC_UNICODE_STRING(); _LUID[] inputPrivilegeLUID = new _LUID[1]; Hashtable htPrivilegeNameNLUID = new Hashtable(); string nameOfPrivilege = string.Empty; char[] charNameOfPrivilege = new char[25]; bool isEqual = false; nameOfPrivilege = PrivilegeName; charNameOfPrivilege = nameOfPrivilege.ToCharArray(); outputComparePrivilegeName.Buffer = new ushort[nameOfPrivilege.Length]; Array.Copy(charNameOfPrivilege, outputComparePrivilegeName.Buffer, charNameOfPrivilege.Length); outputComparePrivilegeName.Length = (ushort)(2 * outputComparePrivilegeName.Buffer.Length); outputComparePrivilegeName.MaximumLength = (ushort)(outputComparePrivilegeName.Length + 2); utilities.privilegeInformation(ref htPrivilegeNameNLUID); if (luid == PrivilegeLUID.Invalid) { utilities.valuesOfLUID(PrivilegeLUID.Invalid, ref inputPrivilegeLUID); inputPrivilegeLUID[0].LowPart = 56; inputPrivilegeLUID[0].HighPart = 0; } else if (stPolicyInformation.PHandle != handleInput) { utilities.valuesOfLUID(PrivilegeLUID.Valid, ref inputPrivilegeLUID); utilities.inValidHandle(); } else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES) { utilities.valuesOfLUID(PrivilegeLUID.Valid, ref inputPrivilegeLUID); } else if (!htPrivilegeNameNLUID.ContainsKey(privilegeLuid)) { utilities.valuesOfLUID(PrivilegeLUID.NotPresentLuid, ref inputPrivilegeLUID); } else { utilities.valuesOfLUID(PrivilegeLUID.Valid, ref inputPrivilegeLUID); } uintMethodStatus = lsadClientStack.LsarLookupPrivilegeName( PolicyHandle.Value, inputPrivilegeLUID[0], out outputPrivilegeName); if (outputPrivilegeName != null) { isEqual = utilities.CheckTheRpcStrings(outputPrivilegeName.Value, outputComparePrivilegeName); if (isEqual) { privilegeName = ValidString.Valid; } else { privilegeName = ValidString.Invalid; } } else { privilegeName = (outputPrivilegeName == null) ? ValidString.Invalid : ValidString.Valid; } if (!(luid == PrivilegeLUID.Invalid)) { if (stPolicyInformation.PHandle != handleInput) { #region MS-LSAD_R809 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.InvalidHandle, (uint)uintMethodStatus, "MS-LSAD", 809, @"In LsarLookupPrivilegeName method ,If PolicyHandle is not a valid context handle to the policy object, the server MUST return STATUS_INVALID_HANDLE"); #endregion lsadClientStack.LsarDeleteObject(ref PolicyHandle); PolicyHandle = utilities.tempPolicyHandle; } else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES) { #region MS-LSAD_R810 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.AccessDenied, (uint)uintMethodStatus, "MS-LSAD", 810, @"In PolicyHandle parameter of LsarLookupPrivilegeName method, server MUST verify that the caller has POLICY_LOOKUP_NAMES access and return STATUS_ACCESS_DENIED otherwise."); #endregion } else if (!htPrivilegeNameNLUID.ContainsKey(privilegeLuid)) { #region MS-LSAD_R811 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.NoSuchPrivilege, (uint)uintMethodStatus, "MS-LSAD", 811, @"In LsarLookupPrivilegeName method,If the LUID in the Value argument is not recognized by the server, the server MUST fail the request with STATUS_NO_SUCH_PRIVILEGE"); #endregion } else { htPrivilegeNameNLUID.Clear(); #region MS-LSAD_R813 Site.CaptureRequirementIfAreEqual <uint>( (uint)ErrorStatus.Success, (uint)uintMethodStatus, "MS-LSAD", 813, @"In LsarLookupPrivilegeName method server MUST return STATUS_SUCCESS if request is successfully completed."); #endregion } } return((ErrorStatus)uintMethodStatus); }