LsaQueryInformationPolicy
Sample Code:
public int GetRemoteAuditPolicy(ref string[,] Policies)
{
Policies = new string[9, 2] { { "System", "" }, { "Logon", "" }, { "Object Access", "" }, { "Privilige Use", "" }, { "Detailed Tracking", "" }, { "Policy Change", "" }, { "Account Management", "" }, { "Directory Service Access", "" }, { "Account Logon", "" } };
//Everything from here until the "Good Stuff", was copied from this site
byte[] Sid = null;
uint cbSid = 0;
StringBuilder referencedDomainName = new StringBuilder();
uint cchReferencedDomainName = (uint)referencedDomainName.Capacity;
SID_NAME_USE sidUse;
int err = 0;
if (!LookupAccountName(this.ResourceName, this.UserName, Sid, ref cbSid, referencedDomainName, ref cchReferencedDomainName, out sidUse))
{
err = Marshal.GetLastWin32Error();
if (err == ERROR_INSUFFICIENT_BUFFER || err == ERROR_INVALID_FLAGS)
{
Sid = new byte[cbSid];
referencedDomainName.EnsureCapacity((int)cchReferencedDomainName);
err = 0;
if (!LookupAccountName(this.ResourceName, this.UserName, Sid, ref cbSid, referencedDomainName, ref cchReferencedDomainName, out sidUse))
err = Marshal.GetLastWin32Error();
//throw error here
//return custom error constant
}
}
LSA_UNICODE_STRING aSystemName = new LSA_UNICODE_STRING();
uint aAccess = (uint)(
LSA_AccessPolicy.POLICY_AUDIT_LOG_ADMIN |
LSA_AccessPolicy.POLICY_CREATE_ACCOUNT |
LSA_AccessPolicy.POLICY_CREATE_PRIVILEGE |
LSA_AccessPolicy.POLICY_CREATE_SECRET |
LSA_AccessPolicy.POLICY_GET_PRIVATE_INFORMATION |
LSA_AccessPolicy.POLICY_LOOKUP_NAMES |
LSA_AccessPolicy.POLICY_NOTIFICATION |
LSA_AccessPolicy.POLICY_SERVER_ADMIN |
LSA_AccessPolicy.POLICY_SET_AUDIT_REQUIREMENTS |
LSA_AccessPolicy.POLICY_SET_DEFAULT_QUOTA_LIMITS |
LSA_AccessPolicy.POLICY_TRUST_ADMIN |
LSA_AccessPolicy.POLICY_VIEW_AUDIT_INFORMATION |
LSA_AccessPolicy.POLICY_VIEW_LOCAL_INFORMATION
);
IntPtr aPolicyHandle = IntPtr.Zero;
uint infoclass = (uint)POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation;
IntPtr bufptr = IntPtr.Zero;
LSA_OBJECT_ATTRIBUTES aObjectAttributes = new LSA_OBJECT_ATTRIBUTES();
aObjectAttributes.Length = 0;
aObjectAttributes.RootDirectory = IntPtr.Zero;
aObjectAttributes.Attributes = 0;
aObjectAttributes.SecurityDescriptor = IntPtr.Zero;
aObjectAttributes.SecurityQualityOfService = IntPtr.Zero;
aSystemName.SetTo(this.ResourceName);
uint aOpenPolicyResult = LsaOpenPolicy(ref aSystemName, ref aObjectAttributes, aAccess, out aPolicyHandle);
//Here's the "Good Stuff" folks
//This example gets Audit Policy information
uint retval = LsaQueryInformationPolicy(aPolicyHandle, infoclass, out bufptr);
//do what you want with the retval, this is a pretty lazy example
_POLICY_AUDIT_EVENTS_INFO pevents;
//Marshal the pointer to structure; pretty standard stuff
pevents = (_POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(bufptr, typeof(_POLICY_AUDIT_EVENTS_INFO));
//Microsoft states that this could be an arbitrary number of elements because they may expand upon this in later Windows versions
int[] policy_values = new int[pevents.MaximumAuditEventCount];
//pevents.MaximumAuditEventCount gives you the number of elements, take this number of elements and Marshall copy the array
Marshal.Copy(pevents.EventAuditingOptions, policy_values, 0, pevents.MaximumAuditEventCount);
//Only take the lowest array count
int max_policies = Policies.GetLength(0);
max_policies = max_policies > pevents.MaximumAuditEventCount ? pevents.MaximumAuditEventCount : max_policies;
//Grade 10 programming class
for (int x = 0; x < max_policies; x++)
{
switch (policy_values[x])
{
case 0:
Policies[x, 1] = "None";
break;
case 1:
Policies[x, 1] = "Success";
break;
case 2:
Policies[x, 1] = "Failure";
break;
case 3:
Policies[x, 1] = "Success/Failure";
break;
}
}
return 0;
}Sample Code:
Sample Code:
Última actualización