LsarRemovePrivilegesFromAccount (Opnum 20)

The LsarRemovePrivilegesFromAccount method is invoked to remove privileges from an account object.

 NTSTATUS LsarRemovePrivilegesFromAccount(
   [in] LSAPR_HANDLE AccountHandle,
   [in] unsigned char AllPrivileges,
   [in, unique] PLSAPR_PRIVILEGE_SET Privileges

AccountHandle: An open account object handle obtained from either LsarCreateAccount (section or LsarOpenAccount (section

AllPrivileges: If this parameter is not FALSE (0), all privileges will be stripped from the account object.

Privileges: Contains a (possibly empty) list of privileges to remove from the account object.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.

Return value/code




The request was successfully completed.



The caller does not have the permissions to perform this operation.



Some of the parameters supplied were invalid.



AccountHandle is not a valid handle.


This message takes three arguments:

AccountHandle: An open handle to an account object. If the handle is not a valid context handle to an account object or AccountHandle.HandleType does not equal "Account", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that AccountHandle grants access as specified in section with RequiredAccess set to ACCOUNT_ADJUST_PRIVILEGES.

AllPrivileges: A Boolean value; if not FALSE (0), all privileges associated with the account are removed. In this case, the server MUST check that the Privileges parameter is NULL, and fail the request with STATUS_INVALID_PARAMETER otherwise.

Privileges: If AllPrivileges is FALSE (0), this parameter cannot be NULL. It will be used to remove Privileges from the account object. The server MUST verify that Privileges is not NULL and fail the request with STATUS_INVALID_PARAMETER otherwise.<62>