Failure of Win API LsaQueryTrustedDomainInfo(..) on a WinNT machine with IN parameter to information class as TrustedDomainInformationEx

From: Soumen Das (soumen_at_gmail.com)
Date: 12/29/04 

Date: 29 Dec 2004 02:00:33 -0800

We have a trust relationship set up between domain servers Win 2003
and WinNT PDC(SP4) machine. We have verified that an NT user could log
on to a Win2k3 domain and vice-versa indicating mixed domain trust was
successfully created.

Question 1: Is this a supported configuration?

Now, we are trying to obtain trust relationship properties for the Win
NT PDC machine containing information as/similar stored in
TRUSTED_DOMAIN_INFORMATION_EX structure.

The problem is -
Win API LsaQueryTrustedDomainInfo(..) fails with "Access is denied"
error on a Windows NT machine when the IN parameter to Information
class is TrustedDomainInformationEx (even though the Trust
Relationship has been successfully created).

The Win API Call Sequence is
- LsaOpenPolicy (..) // null to systemname, POLICY_ALL_ACCESS was
granted to in parameter ACCESS_MASK
- LsaEnumerateTrustedDomains(..) // valid SIDs of one or more trusted
domains returned in out parameter Buffer
- LsaQueryTrustedDomainInfo(..) // in parameter to Information class
as TrustedDomainInformationEx

Reference -
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/lsaquerytrusteddomaininfo.asp
This link mentions support for WinNT server 3.51 and later.

Our executable was made to run as an administrative account and/or as
a local system user on WinNT PDC.

Question 2 - Is there any alternative API to obtain trust relationship
properties on a Win NT PDC machine containing information as/similar
stored in TRUSTED_DOMAIN_INFORMATION_EX structure? OR Are we doing
anything that is incorrect?

Regards,
Soumen