SID Attributes in an Access Token
Each user and group security identifier (SID) in an access token has a set of attributes that control how the system uses the SID in an access check. The following table lists the attributes that control access checking.
| Attribute | Description |
|---|---|
| SE_GROUP_ENABLED | A SID with this attribute is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to one of the enabled SIDs in the access token. A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set. |
| SE_GROUP_USE_FOR_DENY_ONLY | A SID with this attribute is a deny-only SID. When the system performs an access check, it checks for access-denied ACEs that apply to the SID, but it ignores access-allowed ACEs for the SID. If this attribute is set, the SE_GROUP_ENABLED attribute is not set and the SID cannot be reenabled. |
To set or clear the SE_GROUP_ENABLED attribute of a group SID, use the AdjustTokenGroups function. You cannot disable a group SID that has the SE_GROUP_MANDATORY attribute. You cannot use AdjustTokenGroups to disable the user SID of an access token.
To determine whether a SID is enabled in a token, that is, whether it has the SE_GROUP_ENABLED attribute, call the CheckTokenMembership function.
To set the SE_GROUP_USE_FOR_DENY_ONLY attribute of a SID, include the SID in the list of deny-only SIDs that you specify when you call the CreateRestrictedToken function. CreateRestrictedToken can apply the SE_GROUP_USE_FOR_DENY_ONLY attribute to any SID, including the user SID and group SIDs that have the SE_GROUP_MANDATORY attribute. However, you cannot remove the deny-only attribute from a SID, nor can you use AdjustTokenGroups to set the SE_GROUP_ENABLED attribute on a deny-only SID.
To get the attributes of a SID, call the GetTokenInformation function with the TokenGroups value. The function returns an array of SID_AND_ATTRIBUTES structures that identify the group SIDs and their attributes.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for