Authorization Functions


SetTokenInformation Function

The SetTokenInformation function sets various types of information for a specified access token. The information that this function sets replaces existing information. The calling process must have appropriate access rights to set the information.

Syntax

C++ 
BOOL WINAPI SetTokenInformation(
  __in  HANDLE TokenHandle,
  __in  TOKEN_INFORMATION_CLASS TokenInformationClass,
  __in  LPVOID TokenInformation,
  __in  DWORD TokenInformationLength
);

Parameters

TokenHandle [in]

A handle to the access token for which information is to be set.

TokenInformationClass [in]

A value from the TOKEN_INFORMATION_CLASS enumerated type that identifies the type of information the function sets. The valid values from TOKEN_INFORMATION_CLASS are described in the TokenInformation parameter.

TokenInformation [in]

A pointer to a buffer that contains the information set in the access token. The structure of this buffer depends on the type of information specified by the TokenInformationClass parameter. The following values are valid in calls to this function.

ValueMeaning
TokenAuditPolicy

The buffer specifies a TOKEN_AUDIT_POLICY structure that sets the per-user policy for the token and all tokens derived from it.

The calling process must have the SE_TCB_NAME privilege enabled.

TokenDefaultDacl

Specifies a TOKEN_DEFAULT_DACL structure. The TOKEN_ADJUST_DEFAULT access right is needed to set information in the default discretionary access control list (DACL). The ACL structure provided as a new default DACL is not validated for correctness or consistency. If the TokenInformation parameter is NULL, the current default DACL is removed and no replacement is established.

TokenMandatoryPolicy

Specifies a TOKEN_MANDATORY_POLICY structure.

The calling process must have the SE_CREATE_TOKEN privilege enabled.

TokenOrigin

Specifies a TOKEN_ORIGIN structure, with the OriginatingLogonSession member of TOKEN_ORIGIN set to a LUID that represents the token origin. The token origin can be set only if it has not previously been set. The SE_TCB_NAME privilege is needed to set the token origin.

TokenOwner

Specifies a TOKEN_OWNER structure. The TOKEN_ADJUST_DEFAULT access right is needed to set owner information. A valid owner value is a user or group identifier with an attribute allowing assignment as the owner of objects.

TokenPrimaryGroup

Specifies a TOKEN_PRIMARY_GROUP structure. The TOKEN_ADJUST_DEFAULT access right is needed to set primary group information.

TokenSessionId

The buffer specifies a DWORD value that indicates the Terminal Services session identifier associated with the token. For more information, see Terminal Services Sessions.

The process must have the SE_TCB_NAME privilege and must be enabled to set the session ID in a token.

Windows 2000 Server:  This value is supported only if Terminal Services is enabled.
Windows 2000 Professional:  This value is not supported.
TokenSessionReference

The buffer specifies a ULONG value that must be set to zero.

The calling process must have the SE_TCB_NAME privilege enabled.

Using this information class removes a reference for the logon session, and marks the token as not referencing the session.

TokenVirtualizationAllowed

The buffer specifies a ULONG value that marks the token as being eligible for virtualization.

The calling process must have the SE_CREATE_TOKEN privilege enabled.

TokenVirtualizationEnabled

The buffer specifies a ULONG value that enables virtualization in an eligible token.

The calling process must have the TOKEN_ADJUST_DEFAULT privilege enabled.

TokenUIAccess

The buffer specifies a ULONG value. A nonzero value enables the token to control the user interface (UI). A value of zero turns off the ability to control the user interface.

The calling process must have the SE_TCB_NAME privilege enabled to turn UI access on, and TOKEN_ADJUST_DEFAULT enabled to turn UI access on or off.

 

TokenInformationLength [in]

Specifies the length, in bytes, of the buffer pointed to by TokenInformation.

Return Value

If the function succeeds, the function returns nonzero.

If the function fails, it returns zero. To get extended error information, call GetLastError.

Remarks

To set privilege information, an application can call the AdjustTokenPrivileges function. To set a token's groups, an application can call the AdjustTokenGroups function.

Token-type information can be set only when an access token is created.

Requirements

Minimum supported clientWindows 2000 Professional
Minimum supported serverWindows 2000 Server
HeaderWinbase.h (include Windows.h)
LibraryAdvapi32.lib
DLLAdvapi32.dll

See Also

Access Control Overview
Basic Access Control Functions
AdjustTokenGroups
AdjustTokenPrivileges
GetTokenInformation
OpenProcessToken
OpenThreadToken
TOKEN_DEFAULT_DACL
TOKEN_INFORMATION_CLASS
TOKEN_OWNER
TOKEN_PRIMARY_GROUP

Send comments about this topic to Microsoft

Build date: 9/11/2009

Tags :


Community Content

Thomas Lee
Missing access right
Found on Windows Vista (at least) : TOKEN_ADJUST_DEFAULT is also needed for TokenSessionId (at least)
Tags : contentbug?

Page view tracker