Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This section contains topics for the following groups of functions:
- Attachment Callback Functions
- Attachment Engine Functions
- LSA Policy Functions
- Managed Service Account Functions
- Password Filter Functions
- Safer Functions
Attachment Callback Functions
The following support functions are provided by the Security Configuration tool set and may be used by attachment engines and extension snap-ins to read and write configuration data.
| Callback function | Description |
|---|---|
| PFSCE_FREE_INFO |
Used to free memory allocated by these support functions. |
| PFSCE_LOG_INFO |
Used to log message to the configuration log file or analysis log file. |
| PFSCE_QUERY_INFO |
Used to query the configuration and analysis information for a specific service. |
| PFSCE_SET_INFO |
Used to set configuration and analysis information for a specific service. |
Attachment Engine Functions
| Function | Description |
|---|---|
| SceSvcAttachmentAnalyze |
Implemented by the attachment engine DLL. The Security Configuration Engine calls this function when the system is analyzed. |
| SceSvcAttachmentConfig |
Implemented by the attachment engine DLL. The Security Configuration Engine calls this function when the system is configured. |
| SceSvcAttachmentUpdate |
Implemented by the attachment engine DLL. The Security Configuration Engine calls this function when it receives a configuration update request from the attachment snap-in extension. |
LSA Policy Functions
The following topics provide reference information for the Local Security Authority (LSA) Policy functions.
| Topic | Description |
|---|---|
| Policy Functions |
Details functions used to open the local Policy object and to set or retrieve global policy information. |
| Account Functions |
Details functions used to manage account permissions and to create and delete user accounts. |
| Trusted Domain Functions |
Details functions used to create and delete trusted ___domain relationships and to set and retrieve information about those trusted domains. |
| Private Data Functions |
Do not use the LSA private data functions. Instead, use the CryptProtectData and CryptUnprotectData functions. |
| Miscellaneous Functions |
Details functions not described elsewhere. |
Policy Functions
The following functions enumerate user accounts and trusted domains, receive policy change notifications, and lookup account names and SIDs.
| Function | Description |
|---|---|
| LsaEnumerateAccountsWithUserRight |
Enumerates all the accounts that have a specified user permission. |
| LsaEnumerateTrustedDomainsEx |
Enumerates the trusted domains. |
| LsaLookupNames |
Maps the specified names to their SIDs. Returns the SID as an RID/Domain SID pair. |
| LsaLookupNames2 |
Maps the specified names to their SIDs. Returns the SID as a single element. |
| LsaLookupPrivilegeValue |
Retrieves the locally unique identifier (LUID) used by the Local Security Authority (LSA) to represent the specified privilege name. |
| LsaLookupSids |
Maps the specified account names to their SIDs. |
| LsaRegisterPolicyChangeNotification |
Registers an event object to receive notifications when the local policy information changes. |
| LsaUnregisterPolicyChangeNotification |
Unregisters an event object that is receiving policy change notifications. |
Account Functions
The following functions add, enumerate, and delete permissions for an account.
| Function | Description |
|---|---|
| LsaAddAccountRights |
Add permissions to an account. If the account does not already exist, it is created. |
| LsaEnumerateAccountRights |
Enumerate the permissions granted to an account. |
| LsaRemoveAccountRights |
Remove permissions from an account. When all the permissions are removed, the account is deleted. |
Trusted Domain Functions
The following functions create, enumerate, and delete trusted domains and set and retrieve trusted ___domain information.
| Function | Description |
|---|---|
| LsaCreateTrustedDomainEx |
Creates a new TrustedDomain object. |
| LsaDeleteTrustedDomain |
Removes a TrustedDomain object. |
| LsaEnumerateTrustedDomains LsaEnumerateTrustedDomainsEx |
Enumerates the domains currently trusted by the local system. |
| LsaOpenTrustedDomainByName |
Opens a handle to a TrustedDomain object. |
| LsaQueryTrustedDomainInfo |
Retrieves information about a trusted ___domain. The ___domain is specified by SID. |
| LsaQueryTrustedDomainInfoByName |
Retrieves information about a trusted ___domain. The ___domain is specified by name. |
| LsaSetTrustedDomainInfoByName |
Sets information for a trusted ___domain. The ___domain is specified by name. |
| LsaSetTrustedDomainInformation |
Sets information for a trusted ___domain. The ___domain is specified by SID. |
Private Data Functions
Do not use the LSA private data functions. Instead, use the CryptProtectData and CryptUnprotectData functions.
| Function | Description |
|---|---|
| LsaRetrievePrivateData |
Retrieves and decrypts a string. |
| LsaStorePrivateData |
Encrypts and stores a string. |
Miscellaneous Functions
The LSA Policy API has the following three functions that do not fit into any of the other LSA Policy function categories.
| Function | Description |
|---|---|
| LsaClose |
Closes a handle to a Policy object or a TrustedDomain object. |
| LsaFreeMemory |
Frees a buffer allocated by an LSA function. |
| LsaNtStatusToWinError |
Converts an NTSTATUS value to a Windows error code. |
Managed Service Account Functions
The following functions are used to create, enumerate, find, and delete managed service accounts.
| Function | Description |
|---|---|
| NetAddServiceAccount |
Creates a managed service account. |
| NetEnumerateServiceAccounts |
Enumerates the server accounts on the specified server. |
| NetIsServiceAccount |
Tests whether the specified service account exists in the Netlogon store on the specified server. |
| NetRemoveServiceAccount |
Deletes the specified service account from the Active Directory database. |
Password Filter Functions
The following password filter functions are implemented by custom password filter DLLs to provide password filtering and password change notification.
| Function | Description |
|---|---|
| InitializeChangeNotify |
Indicates that a password filter DLL is initialized. |
| PasswordChangeNotify |
Indicates that a password has been changed. |
| PasswordFilter |
Validates a new password based on password policy. |
Safer Functions
The following Safer functions can be used to check the safer level of any executable and to log events.
| Function | Description |
|---|---|
| SaferCloseLevel | Closes a SAFER_LEVEL_HANDLE opened by using the SaferIdentifyLevel function or the SaferCreateLevel function. |
| SaferComputeTokenFromLevel | Restricts a token using restrictions specified by a SAFER_LEVEL_HANDLE. |
| SaferCreateLevel | Opens a SAFER_LEVEL_HANDLE. |
| SaferGetLevelInformation | Retrieves information about a policy level. |
| SaferGetPolicyInformation | Retrieves information about a policy. |
| SaferIdentifyLevel | Retrieves information about a level. |
| SaferiIsExecutableFileType | Determines whether a specified file is an executable file. |
| SaferRecordEventLogEntry | Sends a message to the event log. |
| SaferSetLevelInformation | Sets the information about a policy level. |
| SaferSetPolicyInformation | Sets the global policy controls. |