nf-ntsecapi-lsaremoveaccountrights.md

UID	title	description	helpviewer_keywords	old-location	tech.root	ms.assetid	ms.date	ms.keywords	req.header	req.include-header	req.target-type	req.target-min-winverclnt	req.target-min-winversvr	req.kmdf-ver	req.umdf-ver	req.ddi-compliance	req.unicode-ansi	req.idl	req.max-support	req.namespace	req.assembly	req.type-library	req.lib	req.dll	req.irql	targetos	req.typenames	req.redist	ms.custom	f1_keywords	dev_langs	topic_type	api_type	api_location	api_name
NF:ntsecapi.LsaRemoveAccountRights	LsaRemoveAccountRights function (ntsecapi.h)	Removes one or more privileges from an account.	LsaRemoveAccountRights LsaRemoveAccountRights function [Security] _lsa_lsaremoveaccountrights ntsecapi/LsaRemoveAccountRights security.lsaremoveaccountrights	security\lsaremoveaccountrights.htm	security	ad250a01-7a24-4fae-975c-aa3e65731c82	12/05/2018	LsaRemoveAccountRights, LsaRemoveAccountRights function [Security], _lsa_lsaremoveaccountrights, ntsecapi/LsaRemoveAccountRights, security.lsaremoveaccountrights	ntsecapi.h		Windows	Windows XP [desktop apps only]	Windows Server 2003 [desktop apps only]										Advapi32.lib	Advapi32.dll		Windows			19H1	LsaRemoveAccountRights ntsecapi/LsaRemoveAccountRights	c++	APIRef kbSyntax	DllExport	Advapi32.dll API-MS-Win-Security-lsapolicy-l1-1-0.dll sechost.dll API-MS-Win-Security-LSAPolicy-L1-1-1.dll	LsaRemoveAccountRights

LsaRemoveAccountRights function

-description

The LsaRemoveAccountRights function removes one or more privileges from an account. You can specify the privileges to be removed, or you can set a flag to remove all privileges. When you remove all privileges, the function deletes the account. If you specify privileges not held by the account, the function ignores them.

-parameters

-param PolicyHandle [in]

A handle to a Policy object. The handle must have the POLICY_LOOKUP_NAMES access right. For more information, see Opening a Policy Object Handle.

-param AccountSid [in]

Pointer to the security identifier (SID) of the account from which the privileges are removed.

-param AllRights [in]

If TRUE, the function removes all privileges and deletes the account. In this case, the function ignores the UserRights parameter. If FALSE, the function removes the privileges specified by the UserRights parameter.

-param UserRights [in]

Pointer to an array of LSA_UNICODE_STRING structures. Each structure contains the name of a privilege to be removed from the account. For a list of privilege names, see Privilege Constants.

-param CountOfRights [in]

Specifies the number of elements in the UserRights array.

-returns

If the function succeeds, the return value is STATUS_SUCCESS.

If the function fails, the return value is an NTSTATUS code, which can be one of the following values or one of the LSA Policy Function Return Values.

Value	Description
STATUS_NO_SUCH_PRIVILEGE	One of the privilege names is not valid.
STATUS_INVALID_PARAMETER	Indicates the UserRights parameter was NULL and the AllRights parameter was FALSE.

 

You can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.

-see-also

LSA_UNICODE_STRING

LsaAddAccountRights

LsaEnumerateAccountRights