ACE
ACL
SID
Expand Minimize

TOKEN_GROUPS_AND_PRIVILEGES structure

The TOKEN_GROUPS_AND_PRIVILEGES structure contains information about the group security identifiers (SIDs) and privileges in an access token.

Syntax


typedef struct _TOKEN_GROUPS_AND_PRIVILEGES {
  DWORD                SidCount;
  DWORD                SidLength;
  PSID_AND_ATTRIBUTES  Sids;
  DWORD                RestrictedSidCount;
  DWORD                RestrictedSidLength;
  PSID_AND_ATTRIBUTES  RestrictedSids;
  DWORD                PrivilegeCount;
  DWORD                PrivilegeLength;
  PLUID_AND_ATTRIBUTES Privileges;
  LUID                 AuthenticationId;
} TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES;

Members

SidCount

Number of SIDs in the access token.

SidLength

Length, in bytes, required to hold all of the user SIDs and the account SID for the group.

Sids

A pointer to an array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes.

The Attributes members of the SID_AND_ATTRIBUTES structures can have the following values.

ValueMeaning
SE_GROUP_ENABLED
0x00000004L

The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to the SID.

A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set.

SE_GROUP_ENABLED_BY_DEFAULT
0x00000002L

The SID is enabled by default.

SE_GROUP_INTEGRITY
0x00000020L

The SID is a mandatory integrity SID.

Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP:  This value is not supported.

SE_GROUP_INTEGRITY_ENABLED
0x00000040L

The mandatory integrity SID is evaluated during access check.

Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP:  This value is not supported.

SE_GROUP_LOGON_ID
0xC0000000L

The SID is a logon SID that identifies the logon session associated with an access token.

SE_GROUP_MANDATORY
0x00000001L

The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID.

SE_GROUP_OWNER
0x00000008L

The SID identifies a group account for which the user of the token is the owner of the group, or the SID can be assigned as the owner of the token or objects.

SE_GROUP_RESOURCE
0x20000000L

The SID identifies a domain-local group.

SE_GROUP_USE_FOR_DENY_ONLY
0x00000010L

The SID is a deny-only SID in a restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID; it ignores access-allowed ACEs for the SID.

If this attribute is set, SE_GROUP_ENABLED is not set, and the SID cannot be reenabled.

 

RestrictedSidCount

Number of restricted SIDs.

RestrictedSidLength

Length, in bytes, required to hold all of the restricted SIDs.

RestrictedSids

A pointer to an array of SID_AND_ATTRIBUTES structures that contain a set of restricted SIDs and corresponding attributes.

The Attributes members of the SID_AND_ATTRIBUTES structures can have the same values as those listed for the preceding Sids member.

PrivilegeCount

Number of privileges.

PrivilegeLength

Length, in bytes, needed to hold the privilege array.

Privileges

Array of privileges.

AuthenticationId

Locally unique identifier (LUID) of the authenticator of the token.

Requirements

Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Winnt.h (include Windows.h)

See also

AdjustTokenGroups
CreateRestrictedToken
SID_AND_ATTRIBUTES
TOKEN_CONTROL
TOKEN_DEFAULT_DACL
TOKEN_INFORMATION_CLASS
TOKEN_OWNER
TOKEN_PRIMARY_GROUP
TOKEN_PRIVILEGES
TOKEN_SOURCE
TOKEN_STATISTICS
TOKEN_TYPE
TOKEN_USER

 

 

Community Additions

ADD
Show:
© 2014 Microsoft