TOKEN_GROUPS structure
The TOKEN_GROUPS structure contains information about the group security identifiers (SIDs) in an access token.
Syntax
typedef struct _TOKEN_GROUPS { DWORD GroupCount; SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; } TOKEN_GROUPS, *PTOKEN_GROUPS;
Members
- GroupCount
-
Specifies the number of groups in the access token.
- Groups
-
Specifies an array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes.
The Attributes members of the SID_AND_ATTRIBUTES structures can have the following values.
Value Meaning - SE_GROUP_ENABLED
- 0x00000004L
The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to the SID.
A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set.
- SE_GROUP_ENABLED_BY_DEFAULT
- 0x00000002L
The SID is enabled by default.
- SE_GROUP_INTEGRITY
- 0x00000020L
The SID is a mandatory integrity SID.
- SE_GROUP_INTEGRITY_ENABLED
- 0x00000040L
The SID is enabled for mandatory integrity checks.
- SE_GROUP_LOGON_ID
- 0xC0000000L
The SID is a logon SID that identifies the logon session associated with an access token.
- SE_GROUP_MANDATORY
- 0x00000001L
The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID.
- SE_GROUP_OWNER
- 0x00000008L
The SID identifies a group account for which the user of the token is the owner of the group, or the SID can be assigned as the owner of the token or objects.
- SE_GROUP_RESOURCE
- 0x20000000L
The SID identifies a domain-local group.
- SE_GROUP_USE_FOR_DENY_ONLY
- 0x00000010L
The SID is a deny-only SID in a restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID; it ignores access-allowed ACEs for the SID.
If this attribute is set, SE_GROUP_ENABLED is not set, and the SID cannot be reenabled.
Requirements
|
Minimum supported client |
Windows XP [desktop apps only] |
|---|---|
|
Minimum supported server |
Windows Server 2003 [desktop apps only] |
|
Header |
|
See also
- AdjustTokenGroups
- CreateRestrictedToken
- SID_AND_ATTRIBUTES
- TOKEN_CONTROL
- TOKEN_DEFAULT_DACL
- TOKEN_INFORMATION_CLASS
- TOKEN_OWNER
- TOKEN_PRIMARY_GROUP
- TOKEN_PRIVILEGES
- TOKEN_SOURCE
- TOKEN_STATISTICS
- TOKEN_TYPE
- TOKEN_USER