ntsecapi.h header
This header is used by Security and Identity. For more information, see:
ntsecapi.h contains the following programming interfaces:
Functions
| AuditComputeEffectivePolicyBySid Computes the effective audit policy for one or more subcategories for the specified security principal. The function computes effective audit policy by combining system audit policy with per-user policy. |
| AuditComputeEffectivePolicyByToken Computes the effective audit policy for one or more subcategories for the security principal associated with the specified token. The function computes effective audit policy by combining system audit policy with per-user policy. |
| AuditEnumerateCategories Enumerates the available audit-policy categories. |
| AuditEnumeratePerUserPolicy Enumerates users for whom per-user auditing policy is specified. |
| AuditEnumerateSubCategories Enumerates the available audit-policy subcategories. |
| AuditFree Frees the memory allocated by audit functions for the specified buffer. |
| AuditLookupCategoryGuidFromCategoryId Retrieves a GUID structure that represents the specified audit-policy category. |
| AuditLookupCategoryIdFromCategoryGuid Retrieves an element of the POLICY_AUDIT_EVENT_TYPE enumeration that represents the specified audit-policy category. |
| AuditLookupCategoryNameA Retrieves the display name of the specified audit-policy category. (ANSI) |
| AuditLookupCategoryNameW Retrieves the display name of the specified audit-policy category. (Unicode) |
| AuditLookupSubCategoryNameA Retrieves the display name of the specified audit-policy subcategory. (ANSI) |
| AuditLookupSubCategoryNameW Retrieves the display name of the specified audit-policy subcategory. (Unicode) |
| AuditQueryGlobalSaclA Retrieves a global system access control list (SACL) that delegates access to the audit messages. (ANSI) |
| AuditQueryGlobalSaclW Retrieves a global system access control list (SACL) that delegates access to the audit messages. (Unicode) |
| AuditQueryPerUserPolicy Retrieves per-user audit policy in one or more audit-policy subcategories for the specified principal. |
| AuditQuerySecurity Retrieves security descriptor that delegates access to audit policy. |
| AuditQuerySystemPolicy Retrieves system audit policy for one or more audit-policy subcategories. |
| AuditSetGlobalSaclA Sets a global system access control list (SACL) that delegates access to the audit messages. (ANSI) |
| AuditSetGlobalSaclW Sets a global system access control list (SACL) that delegates access to the audit messages. (Unicode) |
| AuditSetPerUserPolicy Sets per-user audit policy in one or more audit subcategories for the specified principal. |
| AuditSetSecurity Sets a security descriptor that delegates access to audit policy. |
| AuditSetSystemPolicy Sets system audit policy for one or more audit-policy subcategories. |
| LsaAddAccountRights Assigns one or more privileges to an account. |
| LsaCallAuthenticationPackage Used by a logon application to communicate with an authentication package. |
| LsaClose The LsaClose function closes a handle to a Policy or TrustedDomain object. |
| LsaConnectUntrusted Establishes an untrusted connection to the LSA server. |
| LsaCreateTrustedDomainEx The LsaCreateTrustedDomainEx function establishes a new trusted domain by creating a new TrustedDomain object. |
| LsaDeleteTrustedDomain The LsaDeleteTrustedDomain function removes a trusted domain from the list of trusted domains for a system and deletes the associated TrustedDomain object. |
| LsaDeregisterLogonProcess Deletes the caller's logon application context and closes the connection to the LSA server. |
| LsaEnumerateAccountRights The LsaEnumerateAccountRights function enumerates the privileges assigned to an account. |
| LsaEnumerateAccountsWithUserRight Returns the accounts in the database of a Local Security Authority (LSA) Policy object that hold a specified privilege. |
| LsaEnumerateLogonSessions Retrieves the set of existing logon session identifiers (LUIDs) and the number of sessions. |
| LsaEnumerateTrustedDomains The LsaEnumerateTrustedDomains function retrieves the names and SIDs of domains trusted to authenticate logon credentials. |
| LsaEnumerateTrustedDomainsEx Returns information about the domains trusted by the local system. |
| LsaFreeMemory The LsaFreeMemory function frees memory allocated for an output buffer by an LSA function call. |
| LsaFreeReturnBuffer Frees the memory used by a buffer previously allocated by the LSA. |
| LsaGetLogonSessionData Retrieves information about a specified logon session. |
| LsaLogonUser Authenticates a security principal's logon data by using stored credentials information. |
| LsaLookupAuthenticationPackage Obtains the unique identifier of an authentication package. |
| LsaLookupNames Retrieves the security identifiers (SIDs) that correspond to an array of user, group, or local group names. |
| LsaLookupNames2 Retrieves the security identifiers (SIDs) for specified account names. LsaLookupNames2 can look up the SID for any account in any domain in a Windows forest. |
| LsaLookupSids Looks up the names that correspond to an array of security identifiers (SIDs). If LsaLookupSids cannot find a name that corresponds to a SID, the function returns the SID in character form. |
| LsaLookupSids2 Looks up the names that correspond to an array of security identifiers (SIDs) and supports Internet provider identities. If LsaLookupSids2 cannot find a name that corresponds to a SID, the function returns the SID in character form. |
| LsaNtStatusToWinError The LsaNtStatusToWinError function converts an NTSTATUS code returned by an LSA function to a Windows error code. |
| LsaOpenPolicy Opens a handle to the Policy object on a local or remote system. |
| LsaOpenTrustedDomainByName The LsaOpenTrustedDomainByName function opens the LSA policy handle of a remote trusted domain. You can pass this handle into LSA function calls in order to set or query the LSA policy of the remote machine. |
| LsaQueryDomainInformationPolicy Retrieves domain information from the Policyobject. |
| LsaQueryForestTrustInformation Retrieves forest trust information for the specified Local Security Authority�TrustedDomain object. |
| LsaQueryInformationPolicy Retrieves information about a Policy object. |
| LsaQueryTrustedDomainInfo The LsaQueryTrustedDomainInfo function retrieves information about a trusted domain. |
| LsaQueryTrustedDomainInfoByName The LsaQueryTrustedDomainInfoByName function returns information about a trusted domain. |
| LsaRegisterLogonProcess Establishes a connection to the LSA server and verifies that the caller is a logon application. |
| LsaRegisterPolicyChangeNotification The LsaRegisterPolicyChangeNotification function registers an event handle with the local security authority (LSA). This event handle is signaled whenever the indicated LSA policy is modified. |
| LsaRemoveAccountRights Removes one or more privileges from an account. |
| LsaRetrievePrivateData Do not use the LSA private data functions for generic data encryption and decryption. Instead, use the CryptProtectData and CryptUnprotectData functions. (LsaRetrievePrivateData) |
| LsaSetDomainInformationPolicy Sets domain information to the Policyobject. |
| LsaSetForestTrustInformation Sets the forest trust information for a specified Local Security Authority�TrustedDomain object. |
| LsaSetInformationPolicy Modifies information in a Policy object. |
| LsaSetTrustedDomainInfoByName The LsaSetTrustedDomainInfoByName function sets values for a TrustedDomain object. |
| LsaSetTrustedDomainInformation The LsaSetTrustedDomainInformation function modifies a Policy object's information about a trusted domain. |
| LsaStorePrivateData Do not use the LSA private data functions for generic data encryption and decryption. Instead, use the CryptProtectData and CryptUnprotectData functions. Only use the LSA private data functions when it is necessary to manipulate LSA secrets (LsaStorePrivateData) |
| LsaUnregisterPolicyChangeNotification The LsaUnregisterPolicyChangeNotification function disables a previously registered notification event. |
| RtlDecryptMemory Decrypts memory contents previously encrypted by the RtlEncryptMemory function. |
| RtlEncryptMemory Encrypts memory contents. |
| RtlGenRandom Generates a pseudo-random number. |
Callback functions
| PSAM_INIT_NOTIFICATION_ROUTINE The InitializeChangeNotify function is implemented by a password filter DLL. This function initializes the DLL. |
| PSAM_PASSWORD_FILTER_ROUTINE Implemented by a password filter DLL. The value returned by this function determines whether the new password is accepted by the system. |
| PSAM_PASSWORD_NOTIFICATION_ROUTINE Is implemented by a password filter DLL. It notifies the DLL that a password was changed. |
Structures
| AUDIT_POLICY_INFORMATION Specifies a security event type and when to audit that type. |
| DOMAIN_PASSWORD_INFORMATION Contains information about a domain's password policy, such as the minimum length for passwords and how unique passwords must be. |
| KERB_ADD_BINDING_CACHE_ENTRY_EX_REQUEST Allows the user to bind to a specific domain controller (DC), overriding the Kerberos domain binding cache. |
| KERB_ADD_BINDING_CACHE_ENTRY_REQUEST Specifies a message to add a binding cache entry. |
| KERB_ADD_CREDENTIALS_REQUEST Specifies a message to add, remove, or replace an extra server credential for a logon session. |
| KERB_ADD_CREDENTIALS_REQUEST_EX Specifies a message to add, remove, or replace an extra server credential for a logon session, and the service principal names (SPNs) to be associated with that credential. |
| KERB_BINDING_CACHE_ENTRY_DATA Specifies the data for the binding cache entry. |
| KERB_CERTIFICATE_HASHINFO Provides the payload information of the certificate hash. |
| KERB_CERTIFICATE_INFO Contains the certificate information. |
| KERB_CERTIFICATE_LOGON Contains information about a smart card logon session. (KERB_CERTIFICATE_LOGON) |
| KERB_CERTIFICATE_S4U_LOGON Contains information about the certificate for a service for user (S4U) logon. |
| KERB_CERTIFICATE_UNLOCK_LOGON Contains information used to unlock a workstation that has been locked during an interactive smart card logon session. |
| KERB_CHANGEPASSWORD_REQUEST Contains information used to change a password. |
| KERB_CLEANUP_MACHINE_PKINIT_CREDS_REQUEST Cleans up the PKINIT device credentials from the computer. |
| KERB_CRYPTO_KEY Contains information about a Kerberos cryptographic session key. |
| KERB_EXTERNAL_NAME Contains information about an external name. |
| KERB_EXTERNAL_TICKET Contains information about an external ticket. |
| KERB_INTERACTIVE_LOGON Contains information about an interactive logon session. |
| KERB_INTERACTIVE_PROFILE The KERB_INTERACTIVE_PROFILE structure contains information about an interactive logon profile. This structure is used by the LsaLogonUser function. |
| KERB_INTERACTIVE_UNLOCK_LOGON Contains information used to unlock a workstation that has been locked during an interactive logon session. |
| KERB_PURGE_BINDING_CACHE_REQUEST Deletes the request for the binding cache. |
| KERB_PURGE_TKT_CACHE_REQUEST Contains information used to delete entries from the ticket cache. |
| KERB_QUERY_BINDING_CACHE_REQUEST Contains information used to query the binding cache. |
| KERB_QUERY_BINDING_CACHE_RESPONSE Contains the results of querying the binding cache. |
| KERB_QUERY_DOMAIN_EXTENDED_POLICIES_REQUEST Contains information used to query the domain for the extended policies. |
| KERB_QUERY_DOMAIN_EXTENDED_POLICIES_RESPONSE Contains the results of querying for the extended policies of the specified domain. |
| KERB_QUERY_TKT_CACHE_REQUEST Contains information used to query the ticket cache. |
| KERB_QUERY_TKT_CACHE_RESPONSE Contains the results of querying the ticket cache. |
| KERB_RETRIEVE_TKT_REQUEST Contains information used to retrieve a ticket. |
| KERB_RETRIEVE_TKT_RESPONSE Contains the response from retrieving a ticket. |
| KERB_S4U_LOGON Contains information about a service for user (S4U) logon. |
| KERB_SMART_CARD_LOGON Contains information about a smart card logon session. (KERB_SMART_CARD_LOGON) |
| KERB_SMART_CARD_UNLOCK_LOGON Contains information used to unlock a workstation that has been locked during a smart card logon session. |
| KERB_TICKET_CACHE_INFO Contains information about a cached Kerberos ticket. The Kerberos ticket is defined in Internet RFC 4120. For more information, see http://www.ietf.org. |
| KERB_TICKET_LOGON Contains profile information for a network logon. |
| KERB_TICKET_PROFILE The KERB_TICKET_PROFILE structure contains information about an interactive logon profile. This structure is returned by LsaLogonUser. |
| KERB_TICKET_UNLOCK_LOGON Contains information to unlock a workstation. |
| LSA_AUTH_INFORMATION The LSA_AUTH_INFORMATION structure contains authentication information for a trusted domain. |
| LSA_ENUMERATION_INFORMATION The LSA_ENUMERATION_INFORMATION structure is used with the LsaEnumerateAccountsWithUserRight function to return a pointer to a SID. |
| LSA_FOREST_TRUST_BINARY_DATA Contains binary data used in Local Security Authority forest trust operations. |
| LSA_FOREST_TRUST_COLLISION_INFORMATION Contains information about Local Security Authority forest trust collisions. |
| LSA_FOREST_TRUST_COLLISION_RECORD Contains information about a Local Security Authority forest trust collision. |
| LSA_FOREST_TRUST_DOMAIN_INFO Contains identifying information for a domain. |
| LSA_FOREST_TRUST_INFORMATION Contains Local Security Authority forest trust information. |
| LSA_FOREST_TRUST_RECORD Represents a Local Security Authority forest trust record. |
| LSA_LAST_INTER_LOGON_INFO Contains information about a logon session. (LSA_LAST_INTER_LOGON_INFO) |
| LSA_TRANSLATED_SID Used with the LsaLookupNames function to return information about the SID that identifies an account. |
| MSV1_0_INTERACTIVE_LOGON Contains information about an interactive logon. |
| MSV1_0_INTERACTIVE_PROFILE The MSV1_0_INTERACTIVE_PROFILE structure contains information about an interactive logon profile. This structure is used by the LsaLogonUser function. |
| MSV1_0_LM20_LOGON Contains logon information used in network logons. |
| MSV1_0_LM20_LOGON_PROFILE Contains information about a network logon session. |
| MSV1_0_SUBAUTH_LOGON Used by subauthentication DLLs. |
| MSV1_0_SUBAUTH_REQUEST Contains information to pass to a subauthentication package. |
| MSV1_0_SUBAUTH_RESPONSE Contains the response from a subauthentication package. |
| MSV1_0_SUPPLEMENTAL_CREDENTIAL The MSV1_0_SUPPLEMENTAL_CREDENTIAL structure is used to pass credentials into MSV1_0 from Kerberos or custom authentication package. |
| PKU2U_CERT_BLOB Specifies PKU2U certificate data. |
| PKU2U_CERTIFICATE_S4U_LOGON Specifies a certificate used for S4U logon. |
| PKU2U_CREDUI_CONTEXT Specifies a PKU2U client context. |
| POLICY_AUDIT_EVENTS_INFO The POLICY_AUDIT_EVENTS_INFO structure is used to set and query the system's auditing rules. |
| POLICY_AUDIT_SID_ARRAY Specifies an array of SID structures that represent Windows users or groups. |
| POLICY_LSA_SERVER_ROLE_INFO Used to set and query the role of an LSA server. |
| POLICY_MODIFICATION_INFO The POLICY_MODIFICATION_INFO structure is used to query information about the creation time and last modification of the LSA database. |
| POLICY_PRIMARY_DOMAIN_INFO The PolicyPrimaryDomainInformation value and POLICY_PRIMARY_DOMAIN_INFO structure are obsolete. Use the PolicyDnsDomainInformation and POLICY_DNS_DOMAIN_INFO structure instead. |
| SECURITY_LOGON_SESSION_DATA Contains information about a logon session. (SECURITY_LOGON_SESSION_DATA) |
| TRUSTED_DOMAIN_AUTH_INFORMATION The TRUSTED_DOMAIN_AUTH_INFORMATION structure is used to retrieve authentication information for a trusted domain. The LsaQueryTrustedDomainInfo function uses this structure when its InformationClass parameter is set to TrustedDomainAuthInformation. |
| TRUSTED_DOMAIN_FULL_INFORMATION Used to retrieve complete information about a trusted domain. |
| TRUSTED_DOMAIN_INFORMATION_EX Used to retrieve extended information about a trusted domain. |
| TRUSTED_DOMAIN_NAME_INFO Used to query or set the name of a trusted domain. |
| TRUSTED_PASSWORD_INFO The TRUSTED_PASSWORD_INFO structure is used to query or set the password for a trusted domain. |
| TRUSTED_POSIX_OFFSET_INFO Used to query or set the value used to generate Posix user and group identifiers. |
Enumerations
| KERB_CERTIFICATE_INFO_TYPE Specifies the type of certificate information that is provided. |
| KERB_LOGON_SUBMIT_TYPE Identifies the type of logon being requested. |
| KERB_PROFILE_BUFFER_TYPE Lists the type of logon profile returned. |
| KERB_PROTOCOL_MESSAGE_TYPE Lists the types of messages that can be sent to the Kerberos authentication package by calling the LsaCallAuthenticationPackage function. |
| LSA_FOREST_TRUST_COLLISION_RECORD_TYPE Defines the types of collision that can occur between Local Security Authority forest trust records. |
| LSA_FOREST_TRUST_RECORD_TYPE Defines the type of a Local Security Authority forest trust record. |
| MSV1_0_LOGON_SUBMIT_TYPE Indicates the kind of logon being requested. |
| MSV1_0_PROFILE_BUFFER_TYPE Lists the kind of logon profile returned. |
| MSV1_0_PROTOCOL_MESSAGE_TYPE Lists the types of messages that can be sent to the MSV1_0 Authentication Package by calling the LsaCallAuthenticationPackage function. |
| PKU2U_LOGON_SUBMIT_TYPE Indicates the type of logon message passed in a PKU2U_CERTIFICATE_S4U_LOGON structure. |
| POLICY_AUDIT_EVENT_TYPE The POLICY_AUDIT_EVENT_TYPE enumeration defines values that indicate the types of events the system can audit. |
| POLICY_DOMAIN_INFORMATION_CLASS Defines the type of policy domain information. |
| POLICY_INFORMATION_CLASS Defines values that indicate the type of information to set or query in a Policy object. |
| POLICY_LSA_SERVER_ROLE Defines values that indicate the role of an LSA server. |
| POLICY_NOTIFICATION_INFORMATION_CLASS The POLICY_NOTIFICATION_INFORMATION_CLASS enumeration defines the types of policy information and policy domain information for which your application can request notification of changes. |
| POLICY_SERVER_ENABLE_STATE The POLICY_SERVER_ENABLE_STATE enumeration represents the state of the LSA server�that is, whether it is enabled or disabled. Some operations may only be performed on an enabled LSA server. |
| SECURITY_LOGON_TYPE Indicates the type of logon requested by a logon process. |
| TRUSTED_INFORMATION_CLASS The TRUSTED_INFORMATION_CLASS enumeration type defines values that indicate the type of information to set or query for a trusted domain. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for