TOKEN_GROUPS_AND_PRIVILEGES structure (winnt.h)
The TOKEN_GROUPS_AND_PRIVILEGES structure contains information about the group security identifiers (SIDs) and privileges in an access token.
Syntax
typedef struct _TOKEN_GROUPS_AND_PRIVILEGES {
DWORD SidCount;
DWORD SidLength;
PSID_AND_ATTRIBUTES Sids;
DWORD RestrictedSidCount;
DWORD RestrictedSidLength;
PSID_AND_ATTRIBUTES RestrictedSids;
DWORD PrivilegeCount;
DWORD PrivilegeLength;
PLUID_AND_ATTRIBUTES Privileges;
LUID AuthenticationId;
} TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES;
Members
SidCount
Number of SIDs in the access token.
SidLength
Length, in bytes, required to hold all of the user SIDs and the account SID for the group.
Sids
A pointer to an array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes.
The Attributes members of the SID_AND_ATTRIBUTES structures can have the following values.
| Value | Meaning |
|---|---|
|
The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to the SID.
A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set. |
|
The SID is enabled by default. |
|
The SID is a mandatory integrity SID.
Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported. |
|
The mandatory integrity SID is evaluated during access check.
Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported. |
|
The SID is a logon SID that identifies the logon session associated with an access token. |
|
The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID. |
|
The SID identifies a group account for which the user of the token is the owner of the group, or the SID can be assigned as the owner of the token or objects. |
|
The SID identifies a domain-local group. |
|
The SID is a deny-only SID in a
restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID; it ignores access-allowed ACEs for the SID.
If this attribute is set, SE_GROUP_ENABLED is not set, and the SID cannot be reenabled. |
RestrictedSidCount
Number of restricted SIDs.
RestrictedSidLength
Length, in bytes, required to hold all of the restricted SIDs.
RestrictedSids
A pointer to an array of SID_AND_ATTRIBUTES structures that contain a set of restricted SIDs and corresponding attributes.
The Attributes members of the SID_AND_ATTRIBUTES structures can have the same values as those listed for the preceding Sids member.
PrivilegeCount
Number of privileges.
PrivilegeLength
Length, in bytes, needed to hold the privilege array.
Privileges
Array of privileges.
AuthenticationId
Locally unique identifier (LUID) of the authenticator of the token.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows XP [desktop apps only] |
| Minimum supported server | Windows Server 2003 [desktop apps only] |
| Header | winnt.h (include Windows.h) |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for