0
BYTE sidbuf[SECURITY_MAX_SID_SIZE];
            PSID sid = (PSID)sidbuf;
            if (GetAccountSidFromName(L"Sasha", sid, sizeof(sidbuf)))
            {
                PLSA_UNICODE_STRING userRights;
                ULONG cnt;
                LSA_HANDLE policy = GetPolicyHandle();
                NTSTATUS status=LsaEnumerateAccountRights(policy, sid, &userRights, &cnt);
                long ff=LsaNtStatusToWinError(status);
                

            }

BOOL GetAccountSidFromName(LPCTSTR Account, PSID Sid, const DWORD SidSize)
{
    SID_NAME_USE snu;
    DWORD cbSid = SidSize, cchRD = 0;
    LPTSTR rd = NULL;
    BOOL succ = LookupAccountName(NULL, Account, Sid, &cbSid, rd, &cchRD, &snu);
    if (!succ)
    {
        if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
            return FALSE;
        rd = (LPTSTR)LocalAlloc(LPTR, cchRD * sizeof(*rd));
        if (!rd)
        {
            SetLastError(ERROR_OUTOFMEMORY);
            return FALSE;
        }
        cbSid = SidSize;
        succ = LookupAccountName(NULL, Account, Sid, &cbSid, rd, &cchRD, &snu);
        LocalFree(rd);
    }
    return succ;
}

LSA_HANDLE GetPolicyHandle()
{
    LSA_OBJECT_ATTRIBUTES ObjectAttributes;
    USHORT SystemNameLength;

    NTSTATUS ntsResult;
    LSA_HANDLE lsahPolicyHandle;

    // Object attributes are reserved, so initialize to zeros.
    ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));

    // Get a handle to the Policy object.
    ntsResult = LsaOpenPolicy(
        NULL,    //Name of the target system.
        &ObjectAttributes, //Object attributes.
        POLICY_ALL_ACCESS, //Desired access permissions.
        &lsahPolicyHandle  //Receives the policy handle.
    );

    return lsahPolicyHandle;
}

In my case sid is valid. GetPolicyHandle() is from MSDN.User name is Sasha as specified. Run on Visual Studio 2019 with admin rights. I try find some solution at the Internet but found nothing. I have spended already 5 hours on it. I have no idea how to fix it.Plaese help.

  • What is the exact ntstatus code? – Anders Nov 05 '20 at 21:05
  • status is equal -1073741772 –  Nov 05 '20 at 21:08
  • https://stackoverflow.com/a/4615926/6401656 – RbMm Nov 06 '20 at 01:08
  • 1
    also as note - not use `LookupAccountName`- use `LsaLookupNames2` intead. not use `POLICY_ALL_ACCESS` - you need only `POLICY_LOOKUP_NAMES`. and usually only group(*SidTypeGroup*) and aliases (*SidTypeAlias*) have not empty rights, but not *SidTypeUser* – RbMm Nov 06 '20 at 01:11
  • 1
    I can reproduce it, The error code `STATUS_OBJECT_NAME_NOT_FOUND` is expected. The function did not find the privilege in the sid. If I use `LsaAddAccountRights` to add any privilege to the SID, `LsaEnumerateAccountRights correctly` returns the privilege just added. – Drake Wu Nov 06 '20 at 03:33
  • Yeah, thanks for answering. My user exactly didn`t have any rights when I run program! –  Nov 06 '20 at 11:25

0 Answers0