An impersonating thread has two access tokens:
- A primary access token that describes the security context of the server. To get a handle to this token, call the OpenProcessToken function.
- An impersonation access token that describes the security context of the client being impersonated. To get a handle to this token, call the OpenThreadToken function.
A server can use the impersonation token in the following functions:
- In the AccessCheck, AccessCheckByType, and AccessCheckByTypeResultList functions to determine whether a security descriptor allows the client a set of access rights.
- In the AdjustTokenPrivileges function to enable or disable the client's privileges.
- In the PrivilegeCheck function to determine whether a set of privileges are enabled in the client's token.
- In functions that generate entries in the security event log, such as ObjectOpenAuditAlarm or PrivilegedServiceAuditAlarm. These functions use an impersonation token to get information about the client for the log entry.
Build date: 10/26/2012