An impersonating thread has two access tokens:
- A primary access token that describes the security context of the server. To get a handle to this token, call the OpenProcessToken function.
- An impersonation access token that describes the security context of the client being impersonated. To get a handle to this token, call the OpenThreadToken function.
A server can use the impersonation token in the following functions:
- In the AccessCheck, AccessCheckByType, and AccessCheckByTypeResultList functions to determine whether a security descriptor allows the client a set of access rights.
- In the AdjustTokenPrivileges function to enable or disable the client's privileges.
- In the PrivilegeCheck function to determine whether a set of privileges are enabled in the client's token.
- In functions that generate entries in the security event log, such as ObjectOpenAuditAlarm or PrivilegedServiceAuditAlarm. These functions use an impersonation token to get information about the client for the log entry.