Managing Account Permissions

The LSA provides several functions that applications can call to enumerate or set privileges for user, group, and local group accounts.

Before you can manage account information, your application must get a handle to the local Policy object, as demonstrated in Opening a Policy Object Handle. In addition, to enumerate or edit permissions for an account, you must have the security identifier (SID) for that account. Your application can locate a SID given the account name, as described in Translating Between Names and SIDs.

To access all accounts that have a particular permission, call LsaEnumerateAccountsWithUserRight. This function populates an array with the SIDs of all accounts that have the specified permission.

After you have obtained the SID of an account, you can modify its permissions. Call LsaAddAccountRights to add permissions to the account. If the specified account does not exist, LsaAddAccountRights creates it. To remove permissions from an account, call LsaRemoveAccountRights. If you remove all permissions from an account, LsaRemoveAccountRights also deletes the account.

Your application can check the permissions currently assigned to an account by calling LsaEnumerateAccountRights. This function populates an array of LSA_UNICODE_STRING structures. Each structure contains the name of a privilege held by the specified account.

The following example adds the SeServiceLogonRight permission to an account. In this example, the AccountSID variable specifies the SID of the account. For more information about how to lookup an account SID, see Translating Between Names and SIDs.

#include <windows.h>
#include <ntsecapi.h>

void AddPrivileges(PSID AccountSID, LSA_HANDLE PolicyHandle)
{
  LSA_UNICODE_STRING lucPrivilege;
  NTSTATUS ntsResult;

  // Create an LSA_UNICODE_STRING for the privilege names.
  if (!InitLsaString(&lucPrivilege, L"SeServiceLogonRight"))
  {
         wprintf(L"Failed InitLsaString\n");
         return;
  }

  ntsResult = LsaAddAccountRights(
    PolicyHandle,  // An open policy handle.
    AccountSID,    // The target SID.
    &lucPrivilege, // The privileges.
    1              // Number of privileges.
  );                
  if (ntsResult == STATUS_SUCCESS) 
  {
    wprintf(L"Privilege added.\n");
  }
  else
  {
    wprintf(L"Privilege was not added - %lu \n",
      LsaNtStatusToWinError(ntsResult));
  }
} 

In the preceding example, the function InitLsaString converts a Unicode string to an LSA_UNICODE_STRING structure. The code for this function is shown in Using LSA Unicode Strings.