public static LsaPolicyHandle Open(LsaAccessPolicy accessPolicy)
{
var systemName = new LsaUnicodeString();
var objectAttributes = new LsaObjectAttributes
{
Length = 0,
RootDirectory = IntPtr.Zero,
Attributes = 0,
SecurityDescriptor = IntPtr.Zero,
SecurityQualityOfService = IntPtr.Zero,
};
LsaPolicyHandle handle = null;
LsaChecked(() => NativeMethods.LsaOpenPolicy(ref systemName, ref objectAttributes, (int)accessPolicy, out handle));
return handle;
}
public static LsaPolicyHandle Open(LsaAccessPolicy accessPolicy)
{
var systemName = new LsaUnicodeString();
var objectAttributes = new LsaObjectAttributes
{
Length = 0,
RootDirectory = IntPtr.Zero,
Attributes = 0,
SecurityDescriptor = IntPtr.Zero,
SecurityQualityOfService = IntPtr.Zero,
};
LsaPolicyHandle handle = null;
LsaChecked(() => NativeMethods.LsaOpenPolicy(ref systemName, ref objectAttributes, (int)accessPolicy, out handle));
return(handle);
}
static IntPtr GetLsaPolicyHandle()
{
var computerName = Environment.MachineName;
var objectAttributes = new LsaObjectAttributes
{
Length = 0,
RootDirectory = IntPtr.Zero,
Attributes = 0,
SecurityDescriptor = IntPtr.Zero,
SecurityQualityOfService = IntPtr.Zero
};
const uint accessMask = POLICY_CREATE_SECRET | POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION;
var machineNameLsa = new LsaUnicodeString(computerName);
var result = LsaOpenPolicy(ref machineNameLsa, ref objectAttributes, accessMask, out var hPolicy);
HandleLsaResult(result);
return(hPolicy);
}
/// <summary>
/// Opens a new policy handle.
/// </summary>
/// <returns></returns>
/// <exception cref="Win32Exception"></exception>
public static LsaPolicyHandle OpenPolicyHandle()
{
var systemName = new Advapi32.LsaUnicodeString();
var lsaObjectAttributes = new LsaObjectAttributes
{
RootDirectory = IntPtr.Zero,
Attributes = 0,
SecurityDescriptor = IntPtr.Zero,
SecurityQualityOfService = IntPtr.Zero,
Length = Marshal.SizeOf <LsaObjectAttributes>()
};
//Create a new LSA policy handle
NtStatus ret = Advapi32.LsaOpenPolicy(ref systemName, ref lsaObjectAttributes, Kernel32.AccessMask.PolicySpecificRights.PolicyAllAccess, out LsaPolicyHandle policyHandle); //systemName = null (Local System)
if (ret != NtStatus.Success)
{
throw new Win32Exception(Advapi32.LsaNtStatusToWinError(ret));
}
return(policyHandle);
}
private static extern uint LsaOpenPolicy(
ref LsaUnicodeString systemName,
ref LsaObjectAttributes objectAttributes,
uint desiredAccess,
out IntPtr policyHandle);
public bool CheckRight(string accountName, string privilegeName)
{
accountName = GetSanitizedAccountName(accountName);
// contains the last error
long winErrorCode = 0;
// pointer an size for the SID
var sid = IntPtr.Zero;
var sidSize = 0;
// StringBuilder and size for the domain name
var domainName = new StringBuilder();
var nameSize = 0;
// account-type variable for lookup
var accountType = 0;
// get required buffer size
LookupAccountName(string.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType);
// allocate buffers
domainName = new StringBuilder(nameSize);
sid = Marshal.AllocHGlobal(sidSize);
// lookup the SID for the account
var result = LookupAccountName(string.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType);
// log info
////Console.WriteLine("LookupAccountName result = " + result);
////Console.WriteLine("IsValidSid: " + IsValidSid(sid));
////Console.WriteLine("LookupAccountName domainName: " + domainName.ToString());
if (!result)
{
winErrorCode = GetLastError();
throw new Exception("LookupAccountName failed. Win32 Error Code: " +
Marshal.GetLastWin32Error() + "|| Message: " +
new Win32Exception(Marshal.GetLastWin32Error()).Message);
}
// initialize an empty unicode-string
var systemName = new LsaUnicodeString();
// combine all policies
const uint access = (uint)(
LsaAccessPolicy.PolicyAuditLogAdmin |
LsaAccessPolicy.PolicyCreateAccount |
LsaAccessPolicy.PolicyCreatePrivilege |
LsaAccessPolicy.PolicyCreateSecret |
LsaAccessPolicy.PolicyGetPrivateInformation |
LsaAccessPolicy.PolicyLookupNames |
LsaAccessPolicy.PolicyNotification |
LsaAccessPolicy.PolicyServerAdmin |
LsaAccessPolicy.PolicySetAuditRequirements |
LsaAccessPolicy.PolicySetDefaultQuotaLimits |
LsaAccessPolicy.PolicyTrustAdmin |
LsaAccessPolicy.PolicyViewAuditInformation |
LsaAccessPolicy.PolicyViewLocalInformation);
// initialize a pointer for the policy handle
IntPtr policyHandle;
// these attributes are not used, but LsaOpenPolicy wants them to exists
var objectAttributes = new LsaObjectAttributes();
objectAttributes.Length = 0;
objectAttributes.RootDirectory = IntPtr.Zero;
objectAttributes.Attributes = 0;
objectAttributes.SecurityDescriptor = IntPtr.Zero;
objectAttributes.SecurityQualityOfService = IntPtr.Zero;
// get a policy handle
var resultPolicy = LsaOpenPolicy(ref systemName, ref objectAttributes, access, out policyHandle);
winErrorCode = LsaNtStatusToWinError(resultPolicy);
if (winErrorCode != 0)
{
var errorMessage = new Win32Exception(Marshal.GetLastWin32Error()).Message;
throw new Exception("OpenPolicy failed. Error code: " + winErrorCode + "|| ErrorMessage: " + errorMessage);
}
else
{
var rightsArray = IntPtr.Zero;
ulong rightsCount = 0;
LsaEnumerateAccountRights(policyHandle, sid, out rightsArray, out rightsCount);
winErrorCode = LsaNtStatusToWinError(resultPolicy);
if (winErrorCode != 0)
{
var errorMessage = new Win32Exception(Marshal.GetLastWin32Error()).Message;
throw new Exception("EnumerateAccountRights failed. Error code: " + winErrorCode + "|| ErrorMessage: " + errorMessage);
}
else
{
var myLsaus = new LsaUnicodeString();
for (ulong i = 0; i < rightsCount; i++)
{
var itemAddr = new IntPtr(rightsArray.ToInt64() + (long)(i * (ulong)Marshal.SizeOf(myLsaus)));
myLsaus = (LsaUnicodeString)Marshal.PtrToStructure(itemAddr, myLsaus.GetType());
var thisRight = Lsaus2String(myLsaus);
if (string.Compare(thisRight, privilegeName, StringComparison.OrdinalIgnoreCase) != 0)
{
continue;
}
LsaClose(policyHandle);
FreeSid(sid);
return(true);
}
}
LsaClose(policyHandle);
}
FreeSid(sid);
return(false);
}
/// <summary>
/// Adds a privilege to an account
/// </summary>
/// <param name="accountName">Name of an account - "domain\account" or only "account"</param>
/// <param name="privilegeName">Name ofthe privilege</param>
/// <returns>The windows error code returned by LsaAddAccountRights</returns>
public long SetRight(string accountName, string privilegeName)
{
accountName = GetSanitizedAccountName(accountName);
// contains the last error
long winErrorCode = 0;
// pointer an size for the SID
var sid = IntPtr.Zero;
var sidSize = 0;
// StringBuilder and size for the domain name
var domainName = new StringBuilder();
var nameSize = 0;
// account-type variable for lookup
var accountType = 0;
// get required buffer size
LookupAccountName(string.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType);
// allocate buffers
domainName = new StringBuilder(nameSize);
sid = Marshal.AllocHGlobal(sidSize);
// lookup the SID for the account
var result = LookupAccountName(string.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType);
// log info
////Console.WriteLine("LookupAccountName result = " + result);
////Console.WriteLine("IsValidSid: " + IsValidSid(sid));
////Console.WriteLine("LookupAccountName domainName: " + domainName.ToString());
if (!result)
{
winErrorCode = GetLastError();
throw new Exception("LookupAccountName failed: " + winErrorCode);
}
// initialize an empty unicode-string
var systemName = new LsaUnicodeString();
// combine all policies
const uint access = (uint)(
LsaAccessPolicy.PolicyAuditLogAdmin |
LsaAccessPolicy.PolicyCreateAccount |
LsaAccessPolicy.PolicyCreatePrivilege |
LsaAccessPolicy.PolicyCreateSecret |
LsaAccessPolicy.PolicyGetPrivateInformation |
LsaAccessPolicy.PolicyLookupNames |
LsaAccessPolicy.PolicyNotification |
LsaAccessPolicy.PolicyServerAdmin |
LsaAccessPolicy.PolicySetAuditRequirements |
LsaAccessPolicy.PolicySetDefaultQuotaLimits |
LsaAccessPolicy.PolicyTrustAdmin |
LsaAccessPolicy.PolicyViewAuditInformation |
LsaAccessPolicy.PolicyViewLocalInformation);
// initialize a pointer for the policy handle
var policyHandle = IntPtr.Zero;
// these attributes are not used, but LsaOpenPolicy wants them to exists
var objectAttributes = new LsaObjectAttributes();
objectAttributes.Length = 0;
objectAttributes.RootDirectory = IntPtr.Zero;
objectAttributes.Attributes = 0;
objectAttributes.SecurityDescriptor = IntPtr.Zero;
objectAttributes.SecurityQualityOfService = IntPtr.Zero;
// get a policy handle
var resultPolicy = LsaOpenPolicy(ref systemName, ref objectAttributes, access, out policyHandle);
winErrorCode = LsaNtStatusToWinError(resultPolicy);
if (winErrorCode != 0)
{
var errorMessage = new Win32Exception(Marshal.GetLastWin32Error()).Message;
throw new Exception("OpenPolicy failed: " + winErrorCode + " ErrorMessage: " + errorMessage);
}
else
{
// Now that we have the SID an the policy, we can add rights to the account.
// initialize an unicode-string for the privilege name
var userRights = new LsaUnicodeString[1];
userRights[0] = new LsaUnicodeString();
userRights[0].Buffer = Marshal.StringToHGlobalUni(privilegeName);
userRights[0].Length = (ushort)(privilegeName.Length * UnicodeEncoding.CharSize);
userRights[0].MaximumLength = (ushort)((privilegeName.Length + 1) * UnicodeEncoding.CharSize);
// add the right to the account
var res = LsaAddAccountRights(policyHandle, sid, userRights, 1);
winErrorCode = LsaNtStatusToWinError(res);
if (winErrorCode != 0)
{
var errorMessage = new Win32Exception(Marshal.GetLastWin32Error()).Message;
throw new Exception("LsaAddAccountRights failed: " + winErrorCode + " Error Message: " + errorMessage);
}
LsaClose(policyHandle);
}
FreeSid(sid);
return(winErrorCode);
}
public static extern LsaStatus LsaOpenPolicy(ref LsaUnicodeString systemName, ref LsaObjectAttributes objectAttributes, int desiredAccess, out LsaPolicyHandle policyHandle);
public LsarOpenPolicyRequest()
{
ObjectAttributes = new LsaObjectAttributes();
}
public static extern uint LsaOpenPolicy(
ref LsaUnicodeString?lpSystemName,
ref LsaObjectAttributes lpObjectAttributes,
uint dwDesiredAccess,
out IntPtr hPolicy);
public static extern UInt32 LsaOpenPolicy(ref LsaUnicodeString systemName, ref LsaObjectAttributes objectAttributes, Int32 desiredAccess, out IntPtr policyHandle);
public static extern LsaStatus LsaOpenPolicy(ref LsaUnicodeString systemName, ref LsaObjectAttributes objectAttributes, int desiredAccess, out LsaPolicyHandle policyHandle);
static extern uint LsaOpenPolicy(ref LsaUnicodeString SystemName, ref LsaObjectAttributes ObjectAttributes, uint DesiredAccess, out IntPtr PolicyHandle);
