No navigation frame on the left?  Click here.

LsaEnumerateTrustedDomains

Have you ever wondered where the list of logon domains comes from -- the same list that is displayed in the log-on dialog box of an NT machine that is a member of an NT domain?

This sample tries to answer that question by asking the LSA subsystem for the machine account domain, the primary domain, and any domains trusted by the primary domain. To this end, the sample uses LsaOpenPolicy(), LsaQueryInformationPolicy(), and LsaEnumerateTrustedDomains().

Do not use NetEnumerateTrustedDomains(), even though it is simpler and does not require admin privilege on the target machine. It behaves erratically at best. If you need the trusted domain list in a non-privileged application, consider wrapping the LSA code into a small DCOM or RPC server.

lsa_letd.cpp, 6 KB

NT5 (a/k/a Windows 2000) introduces an -Ex() variant, LsaEnumerateTrustedDomainsEx(), which offers more information that LsaEnumerateTrustedDomains(). The documentation states that this function requires NT 5 or higher; this also goes for the target server, for the one you whose LSA policy you have opened. I have had a report that the delaration of the function in the headers is incorrect and that it will, in consequence, not clean up the stack; all I can say is that the code below works for me.

lsa_letde.cpp, 8 KB

Michael Reed <reed_mr@hotmail.com> was kind enough to offer his DLL-wrapped vrsion of LETD(), which returns a SAFEARRAY that is eminently more palatable to VB than those packaged Unicode strings: