3.1.4.3.7.21 CLUSCTL_CLUSTER_SET_ACCOUNT_ACCESS

The CLUSCTL_CLUSTER_SET_ACCOUNT_ACCESS control code SHOULD modify a particular given SID on the cluster security descriptor.

Servers that do not support this control fail this method by returning error code 0x00000001 (ERROR_INVALID_FUNCTION).

The client MUST provide three property names and their associated values, by using the format as specified in section 2.2.3.10, in the buffer that is designated by lpInBuffer as below:

• A CLUSPROP_SYNTAX_LIST_VALUE_SZ with the name "AccountSID" and value is a string that specifies the SID to modify.

• A CLUSPROP_SYNTAX_LIST_VALUE_DWORD with the name "AccountAccessMask" and value representing one of the following on the mask to apply to the SID.

  Value	Meaning
  CLUSAPI_READ_ACCESS 0x00000001	Read access.
  CLUSAPI_CHANGE_ACCESS 0x00000002	Change access.
  CLUSAPI_ALL_ACCESS 0x00000003	The bitwise OR of CLUSAPI_READ_ACCESS and CLUSAPI_CHANGE_ACCESS.
  CLUSAPI_NO_ACCESS 0x00000004	No access.

• A CLUSPROP_SYNTAX_LIST_VALUE_DWORD with the name "AccountAccessType" and value representing one of the following

  Value	Meaning
  CLUSTER_SET_ACCESS_TYPE_ALLOWED 0	Add an allowed ACE.
  CLUSTER_SET_ACCESS_TYPE_DENIED 1	Add a denied ACE.
  CLUSTER_DELETE_ACCESS_CONTROL_ENTRY 2	Delete all ACEs for a particular SID.

After successful completion of the method, the cluster SHOULD NOT write any data to the buffer that is designated by lpOutBuffer.

The server MUST accept a CLUSCTL_CLUSTER_SET_ACCOUNT_ACCESS cluster control code request if its protocol server state is in the read/write state, as specified in section 3.1.1. The server MUST not accept a CLUSCTL_CLUSTER_SET_ACCOUNT_ACCESS cluster control code request if its protocol server state is in the read-only state.