Click to open or copy the files for the LSAprivs sample.
Click to open or copy the Include files (required).
This module illustrates how to use the Windows NT LSA security API to manage account privileges on the local machine or on a remote machine.
When targeting a domain controller for privilege update operations, target the primary domain controller for the domain. The privilege settings are replicated by the primary domain controller to each backup domain controller as appropriate. The NetGetDCName Lan Manager API call can be used to get the primary domain controller computer name from a domain name.
For a list of privileges, consult Winnt.h, and search for SE_ASSIGNPRIMARYTOKEN_NAME.
For a list of logon rights, which can also be assigned using this sample code, consult Ntsecapi.h, and search for SE_BATCH_LOGON_NAME
You can use domain\account as argv[1]. For instance, mydomain\scott will grant the privilege to the mydomain domain account scott.
The optional target machine is specified as argv[2], otherwise, the account database is updated on the local machine.
The LSA APIs used by this sample are Unicode only.
Use LsaRemoveAccountRights to remove account rights.
This sample uses the following keywords:
displayntstatus; displaywinerror; formatmessagea; fprintf; getaccountsid; getlasterror; getprocessheap; getstdhandle; heapalloc; heapfree; heaprealloc; initlsastring; localfree; lookupaccountname; lsaaddaccountrights; lsaclose; lsantstatustowinerror; lsaopenpolicy; lsaremoveaccountrights; lstrlenw; makelangid; openpolicy; setprivilegeonaccount; text; writefile; wsprintf; wsprintfw; zeromemory