Home Library Learn Downloads Support Community
Sign in | United States - English | |
This topic has not yet been rated - Rate this topic

JOBOBJECT_SECURITY_LIMIT_INFORMATION structure

[JOBOBJECT_SECURITY_LIMIT_INFORMATION is available for use in the operating systems specified in the Requirements section. Support for this structure was removed starting with Windows Vista. For information, see Remarks.]

Applies to: desktop apps only

Contains the security limitations for a job object.

Syntax

Copy 
typedef struct _JOBOBJECT_SECURITY_LIMIT_INFORMATION {
  DWORD             SecurityLimitFlags;
  HANDLE            JobToken;
  PTOKEN_GROUPS     SidsToDisable;
  PTOKEN_PRIVILEGES PrivilegesToDelete;
  PTOKEN_GROUPS     RestrictedSids;
} JOBOBJECT_SECURITY_LIMIT_INFORMATION, *PJOBOBJECT_SECURITY_LIMIT_INFORMATION;

Members

SecurityLimitFlags

The security limitations for the job. This member can be one or more of the following values.

ValueMeaning
JOB_OBJECT_SECURITY_FILTER_TOKENS
0x00000008

Applies a filter to the token when a process impersonates a client. Requires at least one of the following members to be set: SidsToDisable, PrivilegesToDelete, or RestrictedSids.

JOB_OBJECT_SECURITY_NO_ADMIN
0x00000001

Prevents any process in the job from using a token that specifies the local administrators group.

JOB_OBJECT_SECURITY_ONLY_TOKEN
0x00000004

Forces processes in the job to run under a specific token. Requires a token handle in the JobToken member.

JOB_OBJECT_SECURITY_RESTRICTED_TOKEN
0x00000002

Prevents any process in the job from using a token that was not created with the CreateRestrictedToken function.

 

JobToken

A handle to the primary token that represents a user. The handle must have TOKEN_ASSIGN_PRIMARY access.

If the token was created with CreateRestrictedToken, all processes in the job are limited to that token or a further restricted token. Otherwise, the caller must have the SE_ASSIGNPRIMARYTOKEN_NAME privilege.

SidsToDisable

A pointer to a TOKEN_GROUPS structure that specifies the SIDs to disable for access checking, if SecurityLimitFlags is JOB_OBJECT_SECURITY_FILTER_TOKENS.

This member can be NULL if you do not want to disable any SIDs.

PrivilegesToDelete

A pointer to a TOKEN_PRIVILEGES structure that specifies the privileges to delete from the token, if SecurityLimitFlags is JOB_OBJECT_SECURITY_FILTER_TOKENS.

This member can be NULL if you do not want to delete any privileges.

RestrictedSids

A pointer to a TOKEN_GROUPS structure that specifies the deny-only SIDs that will be added to the access token, if SecurityLimitFlags is JOB_OBJECT_SECURITY_FILTER_TOKENS.

This member can be NULL if you do not want to specify any deny-only SIDs.

Remarks

After security limitations are placed on processes in a job, they cannot be revoked.

Starting with Windows Vista, you must set security limitations individually for each process associated with a job object, rather than setting them for the job object by using SetInformationJobObject. For information, see Process Security and Access Rights.

Requirements

Minimum supported client

Windows XP

Minimum supported server

Windows Server 2003

End of client support

Windows XP

End of server support

Windows Server 2003

Header
WinNT.h (include Windows.h)

See also

CreateRestrictedToken
QueryInformationJobObject
SetInformationJobObject
TOKEN_GROUPS
TOKEN_PRIVILEGES

 

 

Send comments about this topic to Microsoft

Build date: 3/7/2012

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ