/// <summary>
/// The LookupPrivilegeValue method is invoked to map the name of a privilege
/// into a locally unique identifier (luid) by which it is known on the server.
/// The locally unique value of the privilege can then be used in subsequent calls
/// to other methods, such as LsarAddPrivilegesToAccount.
/// </summary>
/// <param name="handleInput">Contains policy handle obtained from OpenPolicy/OpenPolicy2 </param>
/// <param name="name">It is for validating the privilege name passed in </param>
/// <param name="privilegeName">Contains privilege name </param>
/// <param name="luid">Out param contains valid or invalid
/// luid of the passed in privilege name </param>
/// <returns>Returns Success if the method is successful
/// Returns AccessDenied if the caller does not have the permissions to
/// perform this operation
/// Returns InvalidHandle if the passed in is a valid object handle
/// Returns InvalidParameter if one or more of the supplied parameters was invalid
/// Returns NoSuchPrivilege if the privilege name is not recognized by the server</returns>
public ErrorStatus LookupPrivilegeValue(
int handleInput,
ValidString name,
string privilegeName,
out PrivilegeLUID luid)
{
_RPC_UNICODE_STRING inputPrivilegeName = new _RPC_UNICODE_STRING();
Hashtable htPrivilegeNameNLUID = new Hashtable();
_LUID?outputPrivilegeLUID = new _LUID();
utilities.privilegeInformation(ref htPrivilegeNameNLUID);
if (name == ValidString.Invalid)
{
utilities.nameOfPrivilege(PrivilegeType.InValid, ref inputPrivilegeName);
inputPrivilegeName.Length = (ushort)((2 * inputPrivilegeName.Buffer.Length) + 1);
inputPrivilegeName.MaximumLength = (ushort)(inputPrivilegeName.Length + 2);
}
else if (stPolicyInformation.PHandle != handleInput)
{
utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName);
utilities.inValidHandle();
}
else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES)
{
utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName);
}
else if (!htPrivilegeNameNLUID.ContainsValue(privilegeName))
{
utilities.nameOfPrivilege(PrivilegeType.NoSuchPrivilege, ref inputPrivilegeName);
}
else
{
utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName);
}
uintMethodStatus = lsadClientStack.LsarLookupPrivilegeValue(
PolicyHandle.Value,
inputPrivilegeName,
out outputPrivilegeLUID);
luid = (outputPrivilegeLUID.Value.HighPart == 0 & outputPrivilegeLUID.Value.LowPart == 0)
? PrivilegeLUID.Invalid : PrivilegeLUID.Valid;
if (name == ValidString.Invalid)
{
#region MS-LSAD_R807
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidParameter,
(uint)uintMethodStatus,
"MS-LSAD",
807,
@"In LsarLookupPrivilegeValue method server MUST return STATUS_INVALID_PARAMETER
if One or more of the supplied parameters was invalid.");
#endregion
}
else if (stPolicyInformation.PHandle != handleInput)
{
#region MS-LSAD_R804
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
804,
@"In LsarLookupPrivilegeValue method,If PolicyHandle is not a valid context handle
to the policy object, the server MUST return STATUS_INVALID_HANDLE.");
#endregion
lsadClientStack.LsarDeleteObject(ref PolicyHandle);
PolicyHandle = utilities.tempPolicyHandle;
}
else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES)
{
#region MS-LSAD_R805
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.AccessDenied,
(uint)uintMethodStatus,
"MS-LSAD",
805,
@"In PolicyHandle parameter of LsarLookupPrivilegeValue method, server MUST verify
that the caller has POLICY_LOOKUP_NAMES access and return STATUS_ACCESS_DENIED otherwise");
#endregion
}
else if (!htPrivilegeNameNLUID.ContainsValue(privilegeName))
{
#region MS-LSAD_R806
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.NoSuchPrivilege,
(uint)uintMethodStatus,
"MS-LSAD",
806,
@"In LsarLookupPrivilegeValue method , If the value in the Name argument is not
recognized by the server, the server MUST fail the request with STATUS_NO_SUCH_PRIVILEGE");
#endregion
}
else
{
htPrivilegeNameNLUID.Clear();
#region MS-LSAD_R808
if ((uint)ErrorStatus.Success == (uint)uintMethodStatus)
{
Site.CaptureRequirement(
"MS-LSAD",
808,
@"In LsarLookupPrivilegeValue method server MUST return STATUS_SUCCESS
if request is successfully completed.");
}
#endregion
}
return((ErrorStatus)uintMethodStatus);
}
internal static extern bool LookupPrivilegeValue(
string host,
string name,
out _LUID pLuid);
/// <summary>
/// The LookupPrivilegeName method is invoked to map the luid of a privilege
/// into a string name by which it is known on the server.
/// </summary>
/// <param name="handleInput">Contains policy handle obtained from OpenPolicy/OpenPolicy2 </param>
/// <param name="luid">It is for validating the privilege luid passed in </param>
/// <param name="privilegeLuid">Contains privilege luid </param>
/// <param name="privilegeName">Out param contains valid or invalid
/// privilegeName of the passed in privilege luid </param>
/// <returns>Returns Success if the method is successful
/// Returns AccessDenied if the caller does not have the permissions to
/// perform this operation
/// Returns InvalidHandle if the passed in is a valid object handle
/// Returns InvalidParameter if one or more of the supplied parameters was invalid
/// Returns NoSuchPrivilege if the privilege luid is not recognized by the server</returns>
public ErrorStatus LookupPrivilegeName(
int handleInput,
PrivilegeLUID luid,
string privilegeLuid,
out ValidString privilegeName)
{
_RPC_UNICODE_STRING?outputPrivilegeName = new _RPC_UNICODE_STRING();
_RPC_UNICODE_STRING outputComparePrivilegeName = new _RPC_UNICODE_STRING();
_LUID[] inputPrivilegeLUID = new _LUID[1];
Hashtable htPrivilegeNameNLUID = new Hashtable();
string nameOfPrivilege = string.Empty;
char[] charNameOfPrivilege = new char[25];
bool isEqual = false;
nameOfPrivilege = PrivilegeName;
charNameOfPrivilege = nameOfPrivilege.ToCharArray();
outputComparePrivilegeName.Buffer = new ushort[nameOfPrivilege.Length];
Array.Copy(charNameOfPrivilege, outputComparePrivilegeName.Buffer, charNameOfPrivilege.Length);
outputComparePrivilegeName.Length = (ushort)(2 * outputComparePrivilegeName.Buffer.Length);
outputComparePrivilegeName.MaximumLength = (ushort)(outputComparePrivilegeName.Length + 2);
utilities.privilegeInformation(ref htPrivilegeNameNLUID);
if (luid == PrivilegeLUID.Invalid)
{
utilities.valuesOfLUID(PrivilegeLUID.Invalid, ref inputPrivilegeLUID);
inputPrivilegeLUID[0].LowPart = 56;
inputPrivilegeLUID[0].HighPart = 0;
}
else if (stPolicyInformation.PHandle != handleInput)
{
utilities.valuesOfLUID(PrivilegeLUID.Valid, ref inputPrivilegeLUID);
utilities.inValidHandle();
}
else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES)
{
utilities.valuesOfLUID(PrivilegeLUID.Valid, ref inputPrivilegeLUID);
}
else if (!htPrivilegeNameNLUID.ContainsKey(privilegeLuid))
{
utilities.valuesOfLUID(PrivilegeLUID.NotPresentLuid, ref inputPrivilegeLUID);
}
else
{
utilities.valuesOfLUID(PrivilegeLUID.Valid, ref inputPrivilegeLUID);
}
uintMethodStatus = lsadClientStack.LsarLookupPrivilegeName(
PolicyHandle.Value,
inputPrivilegeLUID[0],
out outputPrivilegeName);
if (outputPrivilegeName != null)
{
isEqual = utilities.CheckTheRpcStrings(outputPrivilegeName.Value, outputComparePrivilegeName);
if (isEqual)
{
privilegeName = ValidString.Valid;
}
else
{
privilegeName = ValidString.Invalid;
}
}
else
{
privilegeName = (outputPrivilegeName == null) ? ValidString.Invalid : ValidString.Valid;
}
if (!(luid == PrivilegeLUID.Invalid))
{
if (stPolicyInformation.PHandle != handleInput)
{
#region MS-LSAD_R809
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
809,
@"In LsarLookupPrivilegeName method ,If PolicyHandle is not a valid context handle to
the policy object, the server MUST return STATUS_INVALID_HANDLE");
#endregion
lsadClientStack.LsarDeleteObject(ref PolicyHandle);
PolicyHandle = utilities.tempPolicyHandle;
}
else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES)
{
#region MS-LSAD_R810
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.AccessDenied,
(uint)uintMethodStatus,
"MS-LSAD",
810,
@"In PolicyHandle parameter of LsarLookupPrivilegeName method, server MUST verify
that the caller has POLICY_LOOKUP_NAMES access and return STATUS_ACCESS_DENIED otherwise.");
#endregion
}
else if (!htPrivilegeNameNLUID.ContainsKey(privilegeLuid))
{
#region MS-LSAD_R811
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.NoSuchPrivilege,
(uint)uintMethodStatus,
"MS-LSAD",
811,
@"In LsarLookupPrivilegeName method,If the LUID in the Value argument is not recognized
by the server, the server MUST fail the request with STATUS_NO_SUCH_PRIVILEGE");
#endregion
}
else
{
htPrivilegeNameNLUID.Clear();
#region MS-LSAD_R813
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
813,
@"In LsarLookupPrivilegeName method server MUST return STATUS_SUCCESS
if request is successfully completed.");
#endregion
}
}
return((ErrorStatus)uintMethodStatus);
}
public static extern bool LookupPrivilegeValue(
string lpSystemName,
string lpName,
out _LUID lpLuid);
