3.1.4.9.2 LsarSetSecurityObject (Opnum 4)
The LsarSetSecurityObject method is invoked to set a security descriptor on an object.
-
NTSTATUS LsarSetSecurityObject( [in] LSAPR_HANDLE ObjectHandle, [in] SECURITY_INFORMATION SecurityInformation, [in] PLSAPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor );
ObjectHandle: An open handle to an existing object.
SecurityInformation: A bitmask specifying which portions of the security descriptor are to be set.
SecurityDescriptor: The security descriptor to be set.
Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.
-
Return value/code
Description
0x00000000
STATUS_SUCCESS
The request was successfully completed.
0xC000009A
STATUS_INSUFFICIENT_RESOURCES
There are insufficient resources to complete the request.
0xC0000022
STATUS_ACCESS_DENIED
The caller does not have the permissions to perform this operation.
0xC0000079
STATUS_INVALID_SECURITY_DESCR
The supplied security descriptor is invalid.
0xC000000D
STATUS_INVALID_PARAMETER
One of the parameters supplied was invalid. For instance, SecurityDescriptor is NULL.
0xC00000BB
STATUS_NOT_SUPPORTED
The operation is not supported for this object.
0xC0000008
STATUS_INVALID_HANDLE
ObjectHandle is not a valid handle.
Processing:
This message takes three arguments:
ObjectHandle: Can be an open handle of any type. If the handle is not a valid context handle to an object or ObjectHandle.PolicyType is not one of the following:
"Policy" for handles to policy objects
"Account" for handles to account objects
"Secret" for handles to secret objects
"Trusted Domain" for handles to trusted domain objects
The server MUST return STATUS_INVALID_HANDLE. The access required for a successful completion of this request depends on the SecurityInformation parameter. The server MUST verify that ObjectHandle grants access as specified in section 3.1.4.2.2. The following pseudocode specifies the RequiredAccess value to use in this access check.
-
Set RequiredAccess equal to 0 IF ((SecurityInformation & OWNER_SECURITY_INFORMATION) || (SecurityInformation & GROUP_SECURITY_INFORMATION) || (SecurityInformation & DACL_SECURITY_INFORMATION)) THEN RequiredAccess |= READ_CONTROL END IF IF (SecurityInformation & SACL_SECURITY_INFORMATION) THEN RequiredAccess |= ACCESS_SYSTEM_SECURITY END IF
SecurityInformation: A set of bits specifying which portions of the security descriptor the caller is interested in setting. The various bits and the associated access rights are specified in section 2.2.1.3.
SecurityDescriptor: Expects a valid self-relative security descriptor that the caller is trying to set. If this security descriptor is invalid, the server MUST return the STATUS_INVALID_SECURITY_DESCR status code. If the security descriptor is NULL, the server MUST return STATUS_INVALID_PARAMETER.
It is valid for the server to not support this method for all object types.<113>
The server MUST return STATUS_INSUFFICIENT_RESOURCES if it runs out of memory while servicing the request.