Export (0) Print
Expand All
ACE
ACL
SID
Expand Minimize
This topic has not yet been rated - Rate this topic

TOKEN_GROUPS structure

The TOKEN_GROUPS structure contains information about the group security identifiers (SIDs) in an access token.

Syntax


typedef struct _TOKEN_GROUPS {
  DWORD              GroupCount;
  SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY];
} TOKEN_GROUPS, *PTOKEN_GROUPS;

Members

GroupCount

Specifies the number of groups in the access token.

Groups

Specifies an array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes.

The Attributes members of the SID_AND_ATTRIBUTES structures can have the following values.

ValueMeaning
SE_GROUP_ENABLED
0x00000004L

The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to the SID.

A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set.

SE_GROUP_ENABLED_BY_DEFAULT
0x00000002L

The SID is enabled by default.

SE_GROUP_INTEGRITY
0x00000020L

The SID is a mandatory integrity SID.

SE_GROUP_INTEGRITY_ENABLED
0x00000040L

The SID is enabled for mandatory integrity checks.

SE_GROUP_LOGON_ID
0xC0000000L

The SID is a logon SID that identifies the logon session associated with an access token.

SE_GROUP_MANDATORY
0x00000001L

The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID.

SE_GROUP_OWNER
0x00000008L

The SID identifies a group account for which the user of the token is the owner of the group, or the SID can be assigned as the owner of the token or objects.

SE_GROUP_RESOURCE
0x20000000L

The SID identifies a domain-local group.

SE_GROUP_USE_FOR_DENY_ONLY
0x00000010L

The SID is a deny-only SID in a restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID; it ignores access-allowed ACEs for the SID.

If this attribute is set, SE_GROUP_ENABLED is not set, and the SID cannot be reenabled.

 

Requirements

Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Winnt.h (include Windows.h)

See also

AdjustTokenGroups
CreateRestrictedToken
SID_AND_ATTRIBUTES
TOKEN_CONTROL
TOKEN_DEFAULT_DACL
TOKEN_INFORMATION_CLASS
TOKEN_OWNER
TOKEN_PRIMARY_GROUP
TOKEN_PRIVILEGES
TOKEN_SOURCE
TOKEN_STATISTICS
TOKEN_TYPE
TOKEN_USER

 

 

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.