I get an Access Denied error when calling LsaQueryInformationPolicy(), and I'm an admin

Question

I get this error return whether I try LsaQueryInformationPolicy() on the local host or on some other machine in the domain. The flags I use for LsaOpenPolicy() are POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION but I also tried POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION | READ_CONTROL without success.

The user I'm logged in as is a local admin both on my machine and on all others I'm trying this.

For the second parameter to LsaQueryInformationPolicy() I use PolicyAuditEventsInformation.

I'm able to use LsaEnumerateAccountRights() against the same host, using the same policy handle, successfully.

Answer 1

Try to use POLICY_LOOKUP_NAMES | GENERIC_READ | POLICY_VIEW_LOCAL_INFORMATION instead of POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION. It works on my computer.

UPDATED: To be more exactly you need only POLICY_VIEW_AUDIT_INFORMATION during opening of LsaOpenPolicy() to read audit information.