The Win32 Network Management APIs 9






User Modal Functions


The network management user modal functions get and set system-wide parameters related to security system behavior. The user modal functions are listed following.





Returns global information for all users and global groups in the security database, which is the security accounts manager (SAM) database or, in the case of domain controllers, the Active Directory.


Sets global information for all users and global groups in the security database.


The NetUserModalsGet() and NetUserModalsSet() functions examine and modify the modal settings, which are global parameters that affect every account in the security database (for example, the minimum allowable password length). All modal settings can be altered by calling NetUserModalsSet(). Most of the modals can also be altered by using the net accounts command. The network management user modal functions do not require the server to have user-level security. User modal information is available at the following levels:




The following information levels are valid only for NetUserModalsSet() and replace the older way of passing in a Parmnum to set a specific field:




If you are programming for Active Directory, you may be able to call certain Active Directory Service Interface (ADSI) methods to achieve the same functionality you can achieve by calling the network management user modal functions.


Workstation and Workstation User Functions


The network management workstation functions perform administrative tasks on a local or remote workstation. Only a user or application with admin group membership, on a local or remote server, can perform administrative tasks on a workstation to control its operation, user access, and resource sharing. The workstation functions are listed following.





Returns information about the configuration elements for a workstation.


Configures a workstation.


The workstation functions allow access to two discrete types of workstation information:


  1. System information.
  2. Platform-specific information.


Within each type the data is categorized by security access. Data that is guest-accessible is a subset of the data that is user-accessible, which is in turn a subset of the admin-accessible data. Workstation information is available at the following levels:


  1. WKSTA_INFO_100
  2. WKSTA_INFO_101
  3. WKSTA_INFO_102


The network management workstation user functions allow access to user-specific information. The user-specific information is separated from the workstation information because there can be more than one user on a workstation. The workstation user functions are listed following.





Lists information about all users currently logged on to the workstation.


Returns information about one currently logged-on user.


Sets the user-specific information for the configuration elements of a workstation.


Workstation user information is available at the following levels:




Security Requirements for the Network Management Functions


Calling some of the network management functions does not require special group membership. Other functions require that users have a specific privilege level to execute successfully. When applicable, the Remarks section on a function's reference page indicates the privilege level a user must have to execute the particular function. Security requirements that apply to Active Directory domain controllers can differ from those that apply to servers and workstations.


Requirements for Network Management Functions on Active Directory Domain Controllers


If you call one of the network management functions listed in this topic on a domain controller running Active Directory, access to a securable object is allowed or denied based on the access-control list (ACL) for the object. (ACLs are specified in the directory.) Different access requirements apply to information queries and information updates.




For queries, the default ACL permits all authenticated users and members of the "Pre-Windows 2000 compatible access" group to read and enumerate information. The functions listed following are affected:


  1. NetGroupEnum(), NetGroupGetInfo(), NetGroupGetUsers()
  2. NetLocalGroupEnum(), NetLocalGroupGetInfo(), NetLocalGroupGetMembers()
  3. NetQueryDisplayInformation()
  4. NetSessionGetInfo() (levels 1 and 2 only)
  5. NetShareEnum() (levels 2 and 502 only)
  6. NetUserEnum(), NetUserGetGroups(), NetUserGetInfo(), NetUserGetLocalGroups(), NetUserModalsGet()
  7. NetWkstaGetInfo(), NetWkstaUserEnum()


Anonymous access to group information requires that the user Anonymous be explicitly added to the "Pre-Windows 2000 compatible access" group. This is because anonymous tokens do not include the Everyone Group SID. For Windows 2000:  By default, the "Pre-Windows 2000 compatible access" group includes Everyone as a member. This enables anonymous access (Anonymous Logon) to information if the system allows anonymous access. Administrators can remove Everyone from the "Pre-Windows 2000 Compatible Access" group at any time. Removing Everyone from the group restricts information access to authenticated users only. You can override the system default by setting the following key in the registry to the value 1:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous = 1

See NetWkstaGetInfo() and NetWkstaUserEnum() for additional information about anonymous access to group information when calling these two functions.




For updates, the default ACL permits only Domain Administrators and Account Operators to write information. One exception is that users can change their own password and set the usri*_usr_comment field. Another exception is that Account Operators cannot modify administration accounts. The functions listed following are affected:


  1. NetGroupAdd(), NetGroupAddUser(), NetGroupDel(), NetGroupDelUser(), NetGroupSetInfo(), NetGroupSetUsers()
  2. NetLocalGroupAdd(), NetLocalGroupAddMembers(), NetLocalGroupDel(), NetLocalGroupDelMembers(), NetLocalGroupSetInfo(), NetLocalGroupSetMembers()
  3. NetMessageBufferSend()
  4. NetUserAdd(), NetUserChangePassword(), NetUserDel(), NetUserModalsSet(), NetUserSetGroups(), NetUserSetInfo()


Typically, callers must have write access to the entire object for calls to NetUserModalsSet(), NetUserSetInfo(), NetGroupSetInfo() and NetLocalGroupSetInfo() to succeed.





< Win32 Network Management APIs 8 | Win32 Network Management APIs | Win32 Programming | Win32 Network Management APIs 10 >