Partager via


3.1.4.7.4 LsarDeleteTrustedDomain (Opnum 41)

The LsarDeleteTrustedDomain method is invoked to delete a trusted domain object (TDO).

 NTSTATUS LsarDeleteTrustedDomain(
   [in] LSAPR_HANDLE PolicyHandle,
   [in] PRPC_SID TrustedDomainSid
 );

PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.

TrustedDomainSid: A security descriptor of the TDO to be deleted.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.

Return value/code

Description

0x00000000

STATUS_SUCCESS

The request was successfully completed.

0xC0000022

STATUS_ACCESS_DENIED

The caller does not have the permissions to perform this operation.

0xC00000DF

STATUS_NO_SUCH_DOMAIN

The specified TDO does not exist.

0xC000000D

STATUS_INVALID_PARAMETER

One or more of the supplied parameters was invalid.

0xC0000008

STATUS_INVALID_HANDLE

PolicyHandle is not a valid handle.

0xC00002B1

STATUS_DIRECTORY_SERVICE_REQUIRED

The Active Directory service was not available on the server.

0xC0000403

STATUS_USER_DELETE_TRUST_QUOTA_EXCEEDED

The caller's quota for the maximum allowed number of deleted TDOs is exceeded.

Processing:

If Active Directory is not running on this machine, the server MUST return STATUS_DIRECTORY_SERVICE_REQUIRED.

If the number of deleted TDOs that were created by the caller through the control access right Create-Inbound-Trust (defined in [MS-ADTS] section 5.1.3.2.1) exceeds the value in the msDS-PerUserTrustTombstonesQuota attribute of the domain naming context (domain NC) root object (defined in [MS-ADTS] section 6.1.1.1.4), the server MUST return STATUS_USER_DELETE_TRUST_QUOTA_EXCEEDED. For the syntax of the msDS-PerUserTrustTombstonesQuota attribute, refer to [MS-ADA2] section 2.424. The server MUST enforce the quota check only for the TDOs created by control access right Create-Inbound-Trust and if the caller is the creator of that TDO.

This message takes two arguments:

PolicyHandle: An open handle to the policy object. If the handle is not a valid context handle to the policy object or PolicyHandle.HandleType does not equal "Policy", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that PolicyHandle grants access as specified in section 3.1.4.2.2 with RequiredAccess set to TRUSTED_QUERY_DOMAIN_NAME | DELETE.

TrustedDomainSid: The SID of a TDO to be deleted. The server MUST verify that the caller has supplied a valid domain SID for this parameter and fail the request with STATUS_INVALID_PARAMETER if the check fails. The server MUST verify that a TDO with this SID exists in its policy database and fail the request with STATUS_NO_SUCH_DOMAIN otherwise.

 If the server is a read-only domain controller, it MUST return an error.<99>

The server MUST also check whether a secret with name "G$$<Trusted Domain Name>" exists or not. If it exists, the server MUST delete that secret along with the trusted domain.

The server MUST also check whether an interdomain trust account with name "<Trusted Domain NetBIOS Name>$" exists. If it exists, the server MUST delete that account along with the trusted domain.