3.1.4.5.6 LsarRemovePrivilegesFromAccount (Opnum 20)

The LsarRemovePrivilegesFromAccount method is invoked to remove privileges from an account object.

 NTSTATUS LsarRemovePrivilegesFromAccount(
   [in] LSAPR_HANDLE AccountHandle,
   [in] unsigned char AllPrivileges,
   [in, unique] PLSAPR_PRIVILEGE_SET Privileges
 );

AccountHandle: An open account object handle obtained from either LsarCreateAccount (section 3.1.4.5.1) or LsarOpenAccount (section 3.1.4.5.3).

AllPrivileges: If this parameter is not FALSE (0), all privileges will be stripped from the account object.

Privileges: Contains a (possibly empty) list of privileges to remove from the account object.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.

Return value/code

Description

0x00000000

STATUS_SUCCESS

The request was successfully completed.

0xC0000022

STATUS_ACCESS_DENIED

The caller does not have the permissions to perform this operation.

0xC000000D

STATUS_INVALID_PARAMETER

Some of the parameters supplied were invalid.

0xC0000008

STATUS_INVALID_HANDLE

AccountHandle is not a valid handle.

Processing:

This message takes three arguments:

AccountHandle: An open handle to an account object. If the handle is not a valid context handle to an account object or AccountHandle.HandleType does not equal "Account", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that AccountHandle grants access as specified in section 3.1.4.2.2 with RequiredAccess set to ACCOUNT_ADJUST_PRIVILEGES.

AllPrivileges: A Boolean value; if not FALSE (0), all privileges associated with the account are removed. In this case, the server MUST check that the Privileges parameter is NULL, and fail the request with STATUS_INVALID_PARAMETER otherwise.

Privileges: If AllPrivileges is FALSE (0), this parameter cannot be NULL. It will be used to remove Privileges from the account object. The server MUST verify that Privileges is not NULL and fail the request with STATUS_INVALID_PARAMETER otherwise.<62>