ntsecapi.h header

This header is used by Security and Identity. For more information, see:

ntsecapi.h contains the following programming interfaces:

Functions

 
AuditComputeEffectivePolicyBySid

Computes the effective audit policy for one or more subcategories for the specified security principal. The function computes effective audit policy by combining system audit policy with per-user policy.
AuditComputeEffectivePolicyByToken

Computes the effective audit policy for one or more subcategories for the security principal associated with the specified token. The function computes effective audit policy by combining system audit policy with per-user policy.
AuditEnumerateCategories

Enumerates the available audit-policy categories.
AuditEnumeratePerUserPolicy

Enumerates users for whom per-user auditing policy is specified.
AuditEnumerateSubCategories

Enumerates the available audit-policy subcategories.
AuditFree

Frees the memory allocated by audit functions for the specified buffer.
AuditLookupCategoryGuidFromCategoryId

Retrieves a GUID structure that represents the specified audit-policy category.
AuditLookupCategoryIdFromCategoryGuid

Retrieves an element of the POLICY_AUDIT_EVENT_TYPE enumeration that represents the specified audit-policy category.
AuditLookupCategoryNameA

Retrieves the display name of the specified audit-policy category.
AuditLookupCategoryNameW

Retrieves the display name of the specified audit-policy category.
AuditLookupSubCategoryNameA

Retrieves the display name of the specified audit-policy subcategory.
AuditLookupSubCategoryNameW

Retrieves the display name of the specified audit-policy subcategory.
AuditQueryGlobalSaclA

Retrieves a global system access control list (SACL) that delegates access to the audit messages.
AuditQueryGlobalSaclW

Retrieves a global system access control list (SACL) that delegates access to the audit messages.
AuditQueryPerUserPolicy

Retrieves per-user audit policy in one or more audit-policy subcategories for the specified principal.
AuditQuerySecurity

Retrieves security descriptor that delegates access to audit policy.
AuditQuerySystemPolicy

Retrieves system audit policy for one or more audit-policy subcategories.
AuditSetGlobalSaclA

Sets a global system access control list (SACL) that delegates access to the audit messages.
AuditSetGlobalSaclW

Sets a global system access control list (SACL) that delegates access to the audit messages.
AuditSetPerUserPolicy

Sets per-user audit policy in one or more audit subcategories for the specified principal.
AuditSetSecurity

Sets a security descriptor that delegates access to audit policy.
AuditSetSystemPolicy

Sets system audit policy for one or more audit-policy subcategories.
LsaAddAccountRights

Assigns one or more privileges to an account.
LsaCallAuthenticationPackage

Used by a logon application to communicate with an authentication package.
LsaClose

The LsaClose function closes a handle to a Policy or TrustedDomain object.
LsaConnectUntrusted

Establishes an untrusted connection to the LSA server.
LsaCreateTrustedDomainEx

The LsaCreateTrustedDomainEx function establishes a new trusted domain by creating a new TrustedDomain object.
LsaDeleteTrustedDomain

The LsaDeleteTrustedDomain function removes a trusted domain from the list of trusted domains for a system and deletes the associated TrustedDomain object.
LsaDeregisterLogonProcess

Deletes the caller's logon application context and closes the connection to the LSA server.
LsaEnumerateAccountRights

The LsaEnumerateAccountRights function enumerates the privileges assigned to an account.
LsaEnumerateAccountsWithUserRight

Returns the accounts in the database of a Local Security Authority (LSA) Policy object that hold a specified privilege.
LsaEnumerateLogonSessions

Retrieves the set of existing logon session identifiers (LUIDs) and the number of sessions.
LsaEnumerateTrustedDomains

The LsaEnumerateTrustedDomains function retrieves the names and SIDs of domains trusted to authenticate logon credentials.
LsaEnumerateTrustedDomainsEx

Returns information about the domains trusted by the local system.
LsaFreeMemory

The LsaFreeMemory function frees memory allocated for an output buffer by an LSA function call.
LsaFreeReturnBuffer

Frees the memory used by a buffer previously allocated by the LSA.
LsaGetLogonSessionData

Retrieves information about a specified logon session.
LsaLogonUser

Authenticates a security principal's logon data by using stored credentials information.
LsaLookupAuthenticationPackage

Obtains the unique identifier of an authentication package.
LsaLookupNames

Retrieves the security identifiers (SIDs) that correspond to an array of user, group, or local group names.
LsaLookupNames2

Retrieves the security identifiers (SIDs) for specified account names. LsaLookupNames2 can look up the SID for any account in any domain in a Windows forest.
LsaLookupSids

Looks up the names that correspond to an array of security identifiers (SIDs). If LsaLookupSids cannot find a name that corresponds to a SID, the function returns the SID in character form.
LsaLookupSids2

Looks up the names that correspond to an array of security identifiers (SIDs) and supports Internet provider identities. If LsaLookupSids2 cannot find a name that corresponds to a SID, the function returns the SID in character form.
LsaNtStatusToWinError

The LsaNtStatusToWinError function converts an NTSTATUS code returned by an LSA function to a Windows error code.
LsaOpenPolicy

Opens a handle to the Policy object on a local or remote system.
LsaOpenTrustedDomainByName

The LsaOpenTrustedDomainByName function opens the LSA policy handle of a remote trusted domain. You can pass this handle into LSA function calls in order to set or query the LSA policy of the remote machine.
LsaQueryDomainInformationPolicy

Retrieves domain information from the Policyobject.
LsaQueryForestTrustInformation

Retrieves forest trust information for the specified Local Security Authority�TrustedDomain object.
LsaQueryInformationPolicy

Retrieves information about a Policy object.
LsaQueryTrustedDomainInfo

The LsaQueryTrustedDomainInfo function retrieves information about a trusted domain.
LsaQueryTrustedDomainInfoByName

The LsaQueryTrustedDomainInfoByName function returns information about a trusted domain.
LsaRegisterLogonProcess

Establishes a connection to the LSA server and verifies that the caller is a logon application.
LsaRegisterPolicyChangeNotification

The LsaRegisterPolicyChangeNotification function registers an event handle with the local security authority (LSA). This event handle is signaled whenever the indicated LSA policy is modified.
LsaRemoveAccountRights

Removes one or more privileges from an account.
LsaRetrievePrivateData

Do not use the LSA private data functions. Instead, use the CryptProtectData and CryptUnprotectData functions.
LsaSetDomainInformationPolicy

Sets domain information to the Policyobject.
LsaSetForestTrustInformation

Sets the forest trust information for a specified Local Security Authority�TrustedDomain object.
LsaSetInformationPolicy

Modifies information in a Policy object.
LsaSetTrustedDomainInfoByName

The LsaSetTrustedDomainInfoByName function sets values for a TrustedDomain object.
LsaSetTrustedDomainInformation

The LsaSetTrustedDomainInformation function modifies a Policy object's information about a trusted domain.
LsaStorePrivateData

Do not use the LSA private data functions. Instead, use the CryptProtectData and CryptUnprotectData functions.
LsaUnregisterPolicyChangeNotification

The LsaUnregisterPolicyChangeNotification function disables a previously registered notification event.
RtlDecryptMemory

Decrypts memory contents previously encrypted by the RtlEncryptMemory function.
RtlEncryptMemory

Encrypts memory contents.
RtlGenRandom

Generates a pseudo-random number.

Callback functions

 
PSAM_INIT_NOTIFICATION_ROUTINE

The InitializeChangeNotify function is implemented by a password filter DLL. This function initializes the DLL.
PSAM_PASSWORD_FILTER_ROUTINE

Implemented by a password filter DLL. The value returned by this function determines whether the new password is accepted by the system.
PSAM_PASSWORD_NOTIFICATION_ROUTINE

Is implemented by a password filter DLL. It notifies the DLL that a password was changed.

Structures

 
AUDIT_POLICY_INFORMATION

Specifies a security event type and when to audit that type.
DOMAIN_PASSWORD_INFORMATION

Contains information about a domain's password policy, such as the minimum length for passwords and how unique passwords must be.
KERB_ADD_BINDING_CACHE_ENTRY_EX_REQUEST

Allows the user to bind to a specific domain controller (DC), overriding the Kerberos domain binding cache.
KERB_ADD_BINDING_CACHE_ENTRY_REQUEST

Specifies a message to add a binding cache entry.
KERB_ADD_CREDENTIALS_REQUEST

Specifies a message to add, remove, or replace an extra server credential for a logon session.
KERB_ADD_CREDENTIALS_REQUEST_EX

Specifies a message to add, remove, or replace an extra server credential for a logon session, and the service principal names (SPNs) to be associated with that credential.
KERB_BINDING_CACHE_ENTRY_DATA

Specifies the data for the binding cache entry.
KERB_CERTIFICATE_HASHINFO

Provides the payload information of the certificate hash.
KERB_CERTIFICATE_INFO

Contains the certificate information.
KERB_CERTIFICATE_LOGON

Contains information about a smart card logon session.
KERB_CERTIFICATE_S4U_LOGON

Contains information about the certificate for a service for user (S4U) logon.
KERB_CERTIFICATE_UNLOCK_LOGON

Contains information used to unlock a workstation that has been locked during an interactive smart card logon session.
KERB_CHANGEPASSWORD_REQUEST

Contains information used to change a password.
KERB_CLEANUP_MACHINE_PKINIT_CREDS_REQUEST

Cleans up the PKINIT device credentials from the computer.
KERB_CRYPTO_KEY

Contains information about a Kerberos cryptographic session key.
KERB_EXTERNAL_NAME

Contains information about an external name.
KERB_EXTERNAL_TICKET

Contains information about an external ticket.
KERB_INTERACTIVE_LOGON

Contains information about an interactive logon session.
KERB_INTERACTIVE_PROFILE

The KERB_INTERACTIVE_PROFILE structure contains information about an interactive logon profile. This structure is used by the LsaLogonUser function.
KERB_INTERACTIVE_UNLOCK_LOGON

Contains information used to unlock a workstation that has been locked during an interactive logon session.
KERB_PURGE_BINDING_CACHE_REQUEST

Deletes the request for the binding cache.
KERB_PURGE_TKT_CACHE_REQUEST

Contains information used to delete entries from the ticket cache.
KERB_QUERY_BINDING_CACHE_REQUEST

Contains information used to query the binding cache.
KERB_QUERY_BINDING_CACHE_RESPONSE

Contains the results of querying the binding cache.
KERB_QUERY_DOMAIN_EXTENDED_POLICIES_REQUEST

Contains information used to query the domain for the extended policies.
KERB_QUERY_DOMAIN_EXTENDED_POLICIES_RESPONSE

Contains the results of querying for the extended policies of the specified domain.
KERB_QUERY_TKT_CACHE_REQUEST

Contains information used to query the ticket cache.
KERB_QUERY_TKT_CACHE_RESPONSE

Contains the results of querying the ticket cache.
KERB_RETRIEVE_TKT_REQUEST

Contains information used to retrieve a ticket.
KERB_RETRIEVE_TKT_RESPONSE

Contains the response from retrieving a ticket.
KERB_S4U_LOGON

Contains information about a service for user (S4U) logon.
KERB_SMART_CARD_LOGON

Contains information about a smart card logon session.
KERB_SMART_CARD_UNLOCK_LOGON

Contains information used to unlock a workstation that has been locked during a smart card logon session.
KERB_TICKET_CACHE_INFO

Contains information about a cached Kerberos ticket. The Kerberos ticket is defined in Internet RFC 4120. For more information, see http://www.ietf.org.
KERB_TICKET_LOGON

Contains profile information for a network logon.
KERB_TICKET_PROFILE

The KERB_TICKET_PROFILE structure contains information about an interactive logon profile. This structure is returned by LsaLogonUser.
KERB_TICKET_UNLOCK_LOGON

Contains information to unlock a workstation.
LSA_AUTH_INFORMATION

The LSA_AUTH_INFORMATION structure contains authentication information for a trusted domain.
LSA_ENUMERATION_INFORMATION

The LSA_ENUMERATION_INFORMATION structure is used with the LsaEnumerateAccountsWithUserRight function to return a pointer to a SID.
LSA_FOREST_TRUST_BINARY_DATA

Contains binary data used in Local Security Authority forest trust operations.
LSA_FOREST_TRUST_COLLISION_INFORMATION

Contains information about Local Security Authority forest trust collisions.
LSA_FOREST_TRUST_COLLISION_RECORD

Contains information about a Local Security Authority forest trust collision.
LSA_FOREST_TRUST_DOMAIN_INFO

Contains identifying information for a domain.
LSA_FOREST_TRUST_INFORMATION

Contains Local Security Authority forest trust information.
LSA_FOREST_TRUST_RECORD

Represents a Local Security Authority forest trust record.
LSA_LAST_INTER_LOGON_INFO

Contains information about a logon session.
LSA_TRANSLATED_SID

Used with the LsaLookupNames function to return information about the SID that identifies an account.
MSV1_0_INTERACTIVE_LOGON

Contains information about an interactive logon.
MSV1_0_INTERACTIVE_PROFILE

The MSV1_0_INTERACTIVE_PROFILE structure contains information about an interactive logon profile. This structure is used by the LsaLogonUser function.
MSV1_0_LM20_LOGON

Contains logon information used in network logons.
MSV1_0_LM20_LOGON_PROFILE

Contains information about a network logon session.
MSV1_0_SUBAUTH_LOGON

Used by subauthentication DLLs.
MSV1_0_SUBAUTH_REQUEST

Contains information to pass to an subauthentication package.
MSV1_0_SUBAUTH_RESPONSE

Contains the response from a subauthentication package.
MSV1_0_SUPPLEMENTAL_CREDENTIAL

The MSV1_0_SUPPLEMENTAL_CREDENTIAL structure is used to pass credentials into MSV1_0 from Kerberos or custom authentication package.
PKU2U_CERT_BLOB

Specifies PKU2U certificate data.
PKU2U_CERTIFICATE_S4U_LOGON

Specifies a certificate used for S4U logon.
PKU2U_CREDUI_CONTEXT

Specifies a PKU2U client context.
POLICY_AUDIT_EVENTS_INFO

The POLICY_AUDIT_EVENTS_INFO structure is used to set and query the system's auditing rules.
POLICY_AUDIT_SID_ARRAY

Specifies an array of SID structures that represent Windows users or groups.
POLICY_LSA_SERVER_ROLE_INFO

Used to set and query the role of an LSA server.
POLICY_MODIFICATION_INFO

The POLICY_MODIFICATION_INFO structure is used to query information about the creation time and last modification of the LSA database.
POLICY_PRIMARY_DOMAIN_INFO

The PolicyPrimaryDomainInformation value and POLICY_PRIMARY_DOMAIN_INFO structure are obsolete. Use the PolicyDnsDomainInformation and POLICY_DNS_DOMAIN_INFO structure instead.
SECURITY_LOGON_SESSION_DATA

Contains information about a logon session.
TRUSTED_DOMAIN_AUTH_INFORMATION

The TRUSTED_DOMAIN_AUTH_INFORMATION structure is used to retrieve authentication information for a trusted domain. The LsaQueryTrustedDomainInfo function uses this structure when its InformationClass parameter is set to TrustedDomainAuthInformation.
TRUSTED_DOMAIN_FULL_INFORMATION

Used to retrieve complete information about a trusted domain.
TRUSTED_DOMAIN_INFORMATION_EX

Used to retrieve extended information about a trusted domain.
TRUSTED_DOMAIN_NAME_INFO

Used to query or set the name of a trusted domain.
TRUSTED_PASSWORD_INFO

The TRUSTED_PASSWORD_INFO structure is used to query or set the password for a trusted domain.
TRUSTED_POSIX_OFFSET_INFO

Used to query or set the value used to generate Posix user and group identifiers.

Enumerations

 
KERB_CERTIFICATE_INFO_TYPE

Specifies the type of certificate information that is provided.
KERB_LOGON_SUBMIT_TYPE

Identifies the type of logon being requested.
KERB_PROFILE_BUFFER_TYPE

Lists the type of logon profile returned.
KERB_PROTOCOL_MESSAGE_TYPE

Lists the types of messages that can be sent to the Kerberos authentication package by calling the LsaCallAuthenticationPackage function.
LSA_FOREST_TRUST_COLLISION_RECORD_TYPE

Defines the types of collision that can occur between Local Security Authority forest trust records.
LSA_FOREST_TRUST_RECORD_TYPE

Defines the type of a Local Security Authority forest trust record.
MSV1_0_LOGON_SUBMIT_TYPE

Indicates the kind of logon being requested.
MSV1_0_PROFILE_BUFFER_TYPE

Lists the kind of logon profile returned.
MSV1_0_PROTOCOL_MESSAGE_TYPE

Lists the types of messages that can be sent to the MSV1_0 Authentication Package by calling the LsaCallAuthenticationPackage function.
PKU2U_LOGON_SUBMIT_TYPE

Indicates the type of logon message passed in a PKU2U_CERTIFICATE_S4U_LOGON structure.
POLICY_AUDIT_EVENT_TYPE

The POLICY_AUDIT_EVENT_TYPE enumeration defines values that indicate the types of events the system can audit.
POLICY_DOMAIN_INFORMATION_CLASS

Defines the type of policy domain information.
POLICY_INFORMATION_CLASS

Defines values that indicate the type of information to set or query in a Policy object.
POLICY_LSA_SERVER_ROLE

Defines values that indicate the role of an LSA server.
POLICY_NOTIFICATION_INFORMATION_CLASS

The POLICY_NOTIFICATION_INFORMATION_CLASS enumeration defines the types of policy information and policy domain information for which your application can request notification of changes.
POLICY_SERVER_ENABLE_STATE

The POLICY_SERVER_ENABLE_STATE enumeration represents the state of the LSA server�that is, whether it is enabled or disabled. Some operations may only be performed on an enabled LSA server.
SECURITY_LOGON_TYPE

Indicates the type of logon requested by a logon process.
TRUSTED_INFORMATION_CLASS

The TRUSTED_INFORMATION_CLASS enumeration type defines values that indicate the type of information to set or query for a trusted domain.