JOBOBJECT_SECURITY_LIMIT_INFORMATION structure

[JOBOBJECT_SECURITY_LIMIT_INFORMATION is available for use in the operating systems specified in the Requirements section. Support for this structure was removed starting with Windows Vista. For information, see Remarks.]

Contains the security limitations for a job object.

Syntax


typedef struct _JOBOBJECT_SECURITY_LIMIT_INFORMATION {
  DWORD             SecurityLimitFlags;
  HANDLE            JobToken;
  PTOKEN_GROUPS     SidsToDisable;
  PTOKEN_PRIVILEGES PrivilegesToDelete;
  PTOKEN_GROUPS     RestrictedSids;
} JOBOBJECT_SECURITY_LIMIT_INFORMATION, *PJOBOBJECT_SECURITY_LIMIT_INFORMATION;

Members

SecurityLimitFlags

The security limitations for the job. This member can be one or more of the following values.

ValueMeaning
JOB_OBJECT_SECURITY_FILTER_TOKENS
0x00000008

Applies a filter to the token when a process impersonates a client. Requires at least one of the following members to be set: SidsToDisable, PrivilegesToDelete, or RestrictedSids.

JOB_OBJECT_SECURITY_NO_ADMIN
0x00000001

Prevents any process in the job from using a token that specifies the local administrators group.

JOB_OBJECT_SECURITY_ONLY_TOKEN
0x00000004

Forces processes in the job to run under a specific token. Requires a token handle in the JobToken member.

JOB_OBJECT_SECURITY_RESTRICTED_TOKEN
0x00000002

Prevents any process in the job from using a token that was not created with the CreateRestrictedToken function.

 

JobToken

A handle to the primary token that represents a user. The handle must have TOKEN_ASSIGN_PRIMARY access.

If the token was created with CreateRestrictedToken, all processes in the job are limited to that token or a further restricted token. Otherwise, the caller must have the SE_ASSIGNPRIMARYTOKEN_NAME privilege.

SidsToDisable

A pointer to a TOKEN_GROUPS structure that specifies the SIDs to disable for access checking, if SecurityLimitFlags is JOB_OBJECT_SECURITY_FILTER_TOKENS.

This member can be NULL if you do not want to disable any SIDs.

PrivilegesToDelete

A pointer to a TOKEN_PRIVILEGES structure that specifies the privileges to delete from the token, if SecurityLimitFlags is JOB_OBJECT_SECURITY_FILTER_TOKENS.

This member can be NULL if you do not want to delete any privileges.

RestrictedSids

A pointer to a TOKEN_GROUPS structure that specifies the deny-only SIDs that will be added to the access token, if SecurityLimitFlags is JOB_OBJECT_SECURITY_FILTER_TOKENS.

This member can be NULL if you do not want to specify any deny-only SIDs.

Remarks

After security limitations are placed on processes in a job, they cannot be revoked.

Starting with Windows Vista, you must set security limitations individually for each process associated with a job object, rather than setting them for the job object by using SetInformationJobObject. For information, see Process Security and Access Rights.

Requirements

Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

End of client support

Windows XP

End of server support

Windows Server 2003

Header

WinNT.h (include Windows.h)

See also

CreateRestrictedToken
QueryInformationJobObject
SetInformationJobObject
TOKEN_GROUPS
TOKEN_PRIVILEGES

 

 

Community Additions

ADD
Show:
© 2014 Microsoft