3.1.4.5.1 LsarCreateAccount (Opnum 10)
The LsarCreateAccount method is invoked to create a new account object in the server's database.
-
NTSTATUS LsarCreateAccount( [in] LSAPR_HANDLE PolicyHandle, [in] PRPC_SID AccountSid, [in] ACCESS_MASK DesiredAccess, [out] LSAPR_HANDLE* AccountHandle );
PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.
AccountSid: The security identifier (SID) of the account to be created.
DesiredAccess: A bitmask specifying accesses to be granted to the newly created and opened account at this time.
AccountHandle: Used to return a handle to the newly created account object.
Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.
-
Return value/code
Description
0x00000000
STATUS_SUCCESS
The request was successfully completed.
0xC0000022
STATUS_ACCESS_DENIED
The caller does not have the permissions to perform this operation.
0xC0000035
STATUS_OBJECT_NAME_COLLISION
An account with this SID already exists.
0xC0000008
STATUS_INVALID_HANDLE
PolicyHandle is not a valid handle.
0xC000000D
STATUS_INVALID_PARAMETER
Some of the parameters supplied were invalid.
Processing:
This message takes four arguments:
PolicyHandle: A handle to an open policy object. If the handle is not a valid context handle to the policy object or PolicyHandle.HandleType does not equal "Policy", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that PolicyHandle grants access as specified in section 3.1.4.2.2 with RequiredAccess set to POLICY_CREATE_ACCOUNT.
AccountSid: The SID of the account to be created. The server MUST validate that AccountSid represents a valid SID and fail the request with STATUS_INVALID_PARAMETER if it is not.<70>
DesiredAccess: A set of access bits that the caller attempts to receive from the account object after it has been created, which is access-checked according to section 3.1.4.2.2. The method-specific portion of the check is the following.
-
IF (IsRequestorAnonymous() and LsaRestrictAnonymous is set to TRUE) THEN Return STATUS_OBJECT_NAME_NOT_FOUND END IF
The valid account-rights bits are specified in section 2.2.1.1.3, and the security descriptor is specified in section 3.1.1.3. The IsRequestorAnonymous procedure is specified in section 3.1.4.2.3.
AccountHandle: If the request is successful, the server MUST create and return a context handle (section 3.1.1.7) via AccountHandle, with its fields initialized as follows:
LsaContextHandle.HandleType = "Account"
LsaContextHandle.Object = the account object
LsaContextHandle.GrantedAccess = as specified in section 3.1.4.2.1
This mechanism allows the caller to skip the additional step of opening the account object after creating it.
The server MUST check whether another account object already exists in its policy database with the same SID, and fail the request with STATUS_OBJECT_NAME_COLLISION if it does.
The server MUST associate a security descriptor with a newly created account object. See section 3.1.1.3 for the data model of this object type.