Compartilhar via


3.1.4.9.2 LsarSetSecurityObject (Opnum 4)

The LsarSetSecurityObject method is invoked to set a security descriptor on an object.

 NTSTATUS LsarSetSecurityObject(
   [in] LSAPR_HANDLE ObjectHandle,
   [in] SECURITY_INFORMATION SecurityInformation,
   [in] PLSAPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor
 );

ObjectHandle: An open handle to an existing object.

SecurityInformation: A bitmask specifying which portions of the security descriptor are to be set.

SecurityDescriptor: The security descriptor to be set.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.

Return value/code

Description

0x00000000

STATUS_SUCCESS

The request was successfully completed.

0xC000009A

STATUS_INSUFFICIENT_RESOURCES

There are insufficient resources to complete the request.

0xC0000022

STATUS_ACCESS_DENIED

The caller does not have the permissions to perform this operation.

0xC0000079

STATUS_INVALID_SECURITY_DESCR

The supplied security descriptor is invalid.

0xC000000D

STATUS_INVALID_PARAMETER

One of the parameters supplied was invalid. For instance, SecurityDescriptor is NULL.

0xC00000BB

STATUS_NOT_SUPPORTED

The operation is not supported for this object.

0xC0000008

STATUS_INVALID_HANDLE

ObjectHandle is not a valid handle.

Processing:

This message takes three arguments:

ObjectHandle: Can be an open handle of any type. If the handle is not a valid context handle to an object or ObjectHandle.PolicyType is not one of the following:

The server MUST return STATUS_INVALID_HANDLE. The access required for a successful completion of this request depends on the SecurityInformation parameter. The server MUST verify that ObjectHandle grants access as specified in section 3.1.4.2.2. The following pseudocode specifies the RequiredAccess value to use in this access check.

 Set RequiredAccess equal to 0
 IF ((SecurityInformation & OWNER_SECURITY_INFORMATION) || (SecurityInformation & GROUP_SECURITY_INFORMATION) || (SecurityInformation & DACL_SECURITY_INFORMATION)) THEN
     RequiredAccess |= READ_CONTROL
 END IF
 IF (SecurityInformation & SACL_SECURITY_INFORMATION) THEN
     RequiredAccess |= ACCESS_SYSTEM_SECURITY
 END IF

SecurityInformation: A set of bits specifying which portions of the security descriptor the caller is interested in setting. The various bits and the associated access rights are specified in section 2.2.1.3.

SecurityDescriptor: Expects a valid self-relative security descriptor that the caller is trying to set. If this security descriptor is invalid, the server MUST return the STATUS_INVALID_SECURITY_DESCR status code. If the security descriptor is NULL, the server MUST return STATUS_INVALID_PARAMETER.

It is valid for the server to not support this method for all object types.<113>

The server MUST return STATUS_INSUFFICIENT_RESOURCES if it runs out of memory while servicing the request.