Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
SID Attributes in an Access Token
Collapse the table of content
Expand the table of content

SID Attributes in an Access Token

Each user and group security identifier (SID) in an access token has a set of attributes that control how the system uses the SID in an access check. The following table lists the attributes that control access checking.

SE_GROUP_ENABLEDA SID with this attribute is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to one of the enabled SIDs in the access token.

A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set.

SE_GROUP_USE_FOR_DENY_ONLYA SID with this attribute is a deny-only SID. When the system performs an access check, it checks for access-denied ACEs that apply to the SID, but it ignores access-allowed ACEs for the SID.

If this attribute is set, the SE_GROUP_ENABLED attribute is not set and the SID cannot be reenabled.


To set or clear the SE_GROUP_ENABLED attribute of a group SID, use the AdjustTokenGroups function. You cannot disable a group SID that has the SE_GROUP_MANDATORY attribute. You cannot use AdjustTokenGroups to disable the user SID of an access token.

To determine whether a SID is enabled in a token, that is, whether it has the SE_GROUP_ENABLED attribute, call the CheckTokenMembership function.

To set the SE_GROUP_USE_FOR_DENY_ONLY attribute of a SID, include the SID in the list of deny-only SIDs that you specify when you call the CreateRestrictedToken function. CreateRestrictedToken can apply the SE_GROUP_USE_FOR_DENY_ONLY attribute to any SID, including the user SID and group SIDs that have the SE_GROUP_MANDATORY attribute. However, you cannot remove the deny-only attribute from a SID, nor can you use AdjustTokenGroups to set the SE_GROUP_ENABLED attribute on a deny-only SID.

To get the attributes of a SID, call the GetTokenInformation function with the TokenGroups value. The function returns an array of SID_AND_ATTRIBUTES structures that identify the group SIDs and their attributes.



Community Additions

© 2015 Microsoft