public static LsaPolicyHandle Open(LsaAccessPolicy accessPolicy) { var systemName = new LsaUnicodeString(); var objectAttributes = new LsaObjectAttributes { Length = 0, RootDirectory = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero, }; LsaPolicyHandle handle = null; LsaChecked(() => NativeMethods.LsaOpenPolicy(ref systemName, ref objectAttributes, (int)accessPolicy, out handle)); return handle; }
public static LsaPolicyHandle Open(LsaAccessPolicy accessPolicy) { var systemName = new LsaUnicodeString(); var objectAttributes = new LsaObjectAttributes { Length = 0, RootDirectory = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero, }; LsaPolicyHandle handle = null; LsaChecked(() => NativeMethods.LsaOpenPolicy(ref systemName, ref objectAttributes, (int)accessPolicy, out handle)); return(handle); }
static IntPtr GetLsaPolicyHandle() { var computerName = Environment.MachineName; var objectAttributes = new LsaObjectAttributes { Length = 0, RootDirectory = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero }; const uint accessMask = POLICY_CREATE_SECRET | POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION; var machineNameLsa = new LsaUnicodeString(computerName); var result = LsaOpenPolicy(ref machineNameLsa, ref objectAttributes, accessMask, out var hPolicy); HandleLsaResult(result); return(hPolicy); }
/// <summary> /// Opens a new policy handle. /// </summary> /// <returns></returns> /// <exception cref="Win32Exception"></exception> public static LsaPolicyHandle OpenPolicyHandle() { var systemName = new Advapi32.LsaUnicodeString(); var lsaObjectAttributes = new LsaObjectAttributes { RootDirectory = IntPtr.Zero, Attributes = 0, SecurityDescriptor = IntPtr.Zero, SecurityQualityOfService = IntPtr.Zero, Length = Marshal.SizeOf <LsaObjectAttributes>() }; //Create a new LSA policy handle NtStatus ret = Advapi32.LsaOpenPolicy(ref systemName, ref lsaObjectAttributes, Kernel32.AccessMask.PolicySpecificRights.PolicyAllAccess, out LsaPolicyHandle policyHandle); //systemName = null (Local System) if (ret != NtStatus.Success) { throw new Win32Exception(Advapi32.LsaNtStatusToWinError(ret)); } return(policyHandle); }
private static extern uint LsaOpenPolicy( ref LsaUnicodeString systemName, ref LsaObjectAttributes objectAttributes, uint desiredAccess, out IntPtr policyHandle);
public bool CheckRight(string accountName, string privilegeName) { accountName = GetSanitizedAccountName(accountName); // contains the last error long winErrorCode = 0; // pointer an size for the SID var sid = IntPtr.Zero; var sidSize = 0; // StringBuilder and size for the domain name var domainName = new StringBuilder(); var nameSize = 0; // account-type variable for lookup var accountType = 0; // get required buffer size LookupAccountName(string.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType); // allocate buffers domainName = new StringBuilder(nameSize); sid = Marshal.AllocHGlobal(sidSize); // lookup the SID for the account var result = LookupAccountName(string.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType); // log info ////Console.WriteLine("LookupAccountName result = " + result); ////Console.WriteLine("IsValidSid: " + IsValidSid(sid)); ////Console.WriteLine("LookupAccountName domainName: " + domainName.ToString()); if (!result) { winErrorCode = GetLastError(); throw new Exception("LookupAccountName failed. Win32 Error Code: " + Marshal.GetLastWin32Error() + "|| Message: " + new Win32Exception(Marshal.GetLastWin32Error()).Message); } // initialize an empty unicode-string var systemName = new LsaUnicodeString(); // combine all policies const uint access = (uint)( LsaAccessPolicy.PolicyAuditLogAdmin | LsaAccessPolicy.PolicyCreateAccount | LsaAccessPolicy.PolicyCreatePrivilege | LsaAccessPolicy.PolicyCreateSecret | LsaAccessPolicy.PolicyGetPrivateInformation | LsaAccessPolicy.PolicyLookupNames | LsaAccessPolicy.PolicyNotification | LsaAccessPolicy.PolicyServerAdmin | LsaAccessPolicy.PolicySetAuditRequirements | LsaAccessPolicy.PolicySetDefaultQuotaLimits | LsaAccessPolicy.PolicyTrustAdmin | LsaAccessPolicy.PolicyViewAuditInformation | LsaAccessPolicy.PolicyViewLocalInformation); // initialize a pointer for the policy handle IntPtr policyHandle; // these attributes are not used, but LsaOpenPolicy wants them to exists var objectAttributes = new LsaObjectAttributes(); objectAttributes.Length = 0; objectAttributes.RootDirectory = IntPtr.Zero; objectAttributes.Attributes = 0; objectAttributes.SecurityDescriptor = IntPtr.Zero; objectAttributes.SecurityQualityOfService = IntPtr.Zero; // get a policy handle var resultPolicy = LsaOpenPolicy(ref systemName, ref objectAttributes, access, out policyHandle); winErrorCode = LsaNtStatusToWinError(resultPolicy); if (winErrorCode != 0) { var errorMessage = new Win32Exception(Marshal.GetLastWin32Error()).Message; throw new Exception("OpenPolicy failed. Error code: " + winErrorCode + "|| ErrorMessage: " + errorMessage); } else { var rightsArray = IntPtr.Zero; ulong rightsCount = 0; LsaEnumerateAccountRights(policyHandle, sid, out rightsArray, out rightsCount); winErrorCode = LsaNtStatusToWinError(resultPolicy); if (winErrorCode != 0) { var errorMessage = new Win32Exception(Marshal.GetLastWin32Error()).Message; throw new Exception("EnumerateAccountRights failed. Error code: " + winErrorCode + "|| ErrorMessage: " + errorMessage); } else { var myLsaus = new LsaUnicodeString(); for (ulong i = 0; i < rightsCount; i++) { var itemAddr = new IntPtr(rightsArray.ToInt64() + (long)(i * (ulong)Marshal.SizeOf(myLsaus))); myLsaus = (LsaUnicodeString)Marshal.PtrToStructure(itemAddr, myLsaus.GetType()); var thisRight = Lsaus2String(myLsaus); if (string.Compare(thisRight, privilegeName, StringComparison.OrdinalIgnoreCase) != 0) { continue; } LsaClose(policyHandle); FreeSid(sid); return(true); } } LsaClose(policyHandle); } FreeSid(sid); return(false); }
/// <summary> /// Adds a privilege to an account /// </summary> /// <param name="accountName">Name of an account - "domain\account" or only "account"</param> /// <param name="privilegeName">Name ofthe privilege</param> /// <returns>The windows error code returned by LsaAddAccountRights</returns> public long SetRight(string accountName, string privilegeName) { accountName = GetSanitizedAccountName(accountName); // contains the last error long winErrorCode = 0; // pointer an size for the SID var sid = IntPtr.Zero; var sidSize = 0; // StringBuilder and size for the domain name var domainName = new StringBuilder(); var nameSize = 0; // account-type variable for lookup var accountType = 0; // get required buffer size LookupAccountName(string.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType); // allocate buffers domainName = new StringBuilder(nameSize); sid = Marshal.AllocHGlobal(sidSize); // lookup the SID for the account var result = LookupAccountName(string.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType); // log info ////Console.WriteLine("LookupAccountName result = " + result); ////Console.WriteLine("IsValidSid: " + IsValidSid(sid)); ////Console.WriteLine("LookupAccountName domainName: " + domainName.ToString()); if (!result) { winErrorCode = GetLastError(); throw new Exception("LookupAccountName failed: " + winErrorCode); } // initialize an empty unicode-string var systemName = new LsaUnicodeString(); // combine all policies const uint access = (uint)( LsaAccessPolicy.PolicyAuditLogAdmin | LsaAccessPolicy.PolicyCreateAccount | LsaAccessPolicy.PolicyCreatePrivilege | LsaAccessPolicy.PolicyCreateSecret | LsaAccessPolicy.PolicyGetPrivateInformation | LsaAccessPolicy.PolicyLookupNames | LsaAccessPolicy.PolicyNotification | LsaAccessPolicy.PolicyServerAdmin | LsaAccessPolicy.PolicySetAuditRequirements | LsaAccessPolicy.PolicySetDefaultQuotaLimits | LsaAccessPolicy.PolicyTrustAdmin | LsaAccessPolicy.PolicyViewAuditInformation | LsaAccessPolicy.PolicyViewLocalInformation); // initialize a pointer for the policy handle var policyHandle = IntPtr.Zero; // these attributes are not used, but LsaOpenPolicy wants them to exists var objectAttributes = new LsaObjectAttributes(); objectAttributes.Length = 0; objectAttributes.RootDirectory = IntPtr.Zero; objectAttributes.Attributes = 0; objectAttributes.SecurityDescriptor = IntPtr.Zero; objectAttributes.SecurityQualityOfService = IntPtr.Zero; // get a policy handle var resultPolicy = LsaOpenPolicy(ref systemName, ref objectAttributes, access, out policyHandle); winErrorCode = LsaNtStatusToWinError(resultPolicy); if (winErrorCode != 0) { var errorMessage = new Win32Exception(Marshal.GetLastWin32Error()).Message; throw new Exception("OpenPolicy failed: " + winErrorCode + " ErrorMessage: " + errorMessage); } else { // Now that we have the SID an the policy, we can add rights to the account. // initialize an unicode-string for the privilege name var userRights = new LsaUnicodeString[1]; userRights[0] = new LsaUnicodeString(); userRights[0].Buffer = Marshal.StringToHGlobalUni(privilegeName); userRights[0].Length = (ushort)(privilegeName.Length * UnicodeEncoding.CharSize); userRights[0].MaximumLength = (ushort)((privilegeName.Length + 1) * UnicodeEncoding.CharSize); // add the right to the account var res = LsaAddAccountRights(policyHandle, sid, userRights, 1); winErrorCode = LsaNtStatusToWinError(res); if (winErrorCode != 0) { var errorMessage = new Win32Exception(Marshal.GetLastWin32Error()).Message; throw new Exception("LsaAddAccountRights failed: " + winErrorCode + " Error Message: " + errorMessage); } LsaClose(policyHandle); } FreeSid(sid); return(winErrorCode); }
public static extern LsaStatus LsaOpenPolicy(ref LsaUnicodeString systemName, ref LsaObjectAttributes objectAttributes, int desiredAccess, out LsaPolicyHandle policyHandle);
public LsarOpenPolicyRequest() { ObjectAttributes = new LsaObjectAttributes(); }
public static extern uint LsaOpenPolicy( ref LsaUnicodeString?lpSystemName, ref LsaObjectAttributes lpObjectAttributes, uint dwDesiredAccess, out IntPtr hPolicy);
public static extern UInt32 LsaOpenPolicy(ref LsaUnicodeString systemName, ref LsaObjectAttributes objectAttributes, Int32 desiredAccess, out IntPtr policyHandle);
static extern uint LsaOpenPolicy(ref LsaUnicodeString SystemName, ref LsaObjectAttributes ObjectAttributes, uint DesiredAccess, out IntPtr PolicyHandle);