LsaEnumerateAccountsWithUserRight fails when connecting to Windows Server 2008 r2

Question

I have some c# code that uses the "advapi32.dll" to connect to various servers to collect various information for documentation purposes.

Part of that documentation is getting user permissions from each machine. I am using the LsaEnumerateAccountsWithUserRight function which seems to work on Windows 2003 machines, but not on 2008 machines. I receive an 'access denied' error. I have read a variety of threads on a variety of sites recommending disabling UAC (which I have tried) and using POLICY_VIEW_LOCAL_INFORMATION instead of POLICY_ALL_ACCESS when using LsaOpenPolicy (which I have tried) and none of it seems to work. Has anyone run into this problem?

score 0 · Answer 1 · edited May 23 '17 at 11:55

For what it's worth, I am able to use LsaLookupNames2 and LsaEnumerateAccountRights on Win2008 R2 (running VS in administrator mode).

LsaOpenPolicy(... Access.POLICY_LOOKUP_NAMES | Access.POLICY_VIEW_LOCAL_INFORMATION, out lsaHandle)
...
LsaLookupNames2(lsaHandle, 0, 1, names, ref tdom, ref tsids)
...
LsaEnumerateAccountRights(lsaHandle, sid, out hPrivileges, out privileges_count)

I used the following two references:

http://bytes.com/topic/c-sharp/answers/266094-lsa-functions - great start
I successfully called advapi32's LsaEnumerateAccountRights() from C#. Now how do I unmarshal the array of LSA_UNICODE_STRING it returns? - least privileges for LsaOpenPolicy, Marshal safely on x64 systems

LsaEnumerateAccountsWithUserRight fails when connecting to Windows Server 2008 r2

1 Answers1