TOKEN_GROUPS_AND_PRIVILEGES structure
The TOKEN_GROUPS_AND_PRIVILEGES structure contains information about the group security identifiers (SIDs) and privileges in an access token.
Syntax
typedef struct _TOKEN_GROUPS_AND_PRIVILEGES { DWORD SidCount; DWORD SidLength; PSID_AND_ATTRIBUTES Sids; DWORD RestrictedSidCount; DWORD RestrictedSidLength; PSID_AND_ATTRIBUTES RestrictedSids; DWORD PrivilegeCount; DWORD PrivilegeLength; PLUID_AND_ATTRIBUTES Privileges; LUID AuthenticationId; } TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES;
Members
- SidCount
-
Number of SIDs in the access token.
- SidLength
-
Length, in bytes, required to hold all of the user SIDs and the account SID for the group.
- Sids
-
A pointer to an array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes.
The Attributes members of the SID_AND_ATTRIBUTES structures can have the following values.
Value Meaning - SE_GROUP_ENABLED
- 0x00000004L
The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to the SID.
A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set.
- SE_GROUP_ENABLED_BY_DEFAULT
- 0x00000002L
The SID is enabled by default.
- SE_GROUP_INTEGRITY
- 0x00000020L
The SID is a mandatory integrity SID.
Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported.
- SE_GROUP_INTEGRITY_ENABLED
- 0x00000040L
The mandatory integrity SID is evaluated during access check.
Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This value is not supported.
- SE_GROUP_LOGON_ID
- 0xC0000000L
The SID is a logon SID that identifies the logon session associated with an access token.
- SE_GROUP_MANDATORY
- 0x00000001L
The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID.
- SE_GROUP_OWNER
- 0x00000008L
The SID identifies a group account for which the user of the token is the owner of the group, or the SID can be assigned as the owner of the token or objects.
- SE_GROUP_RESOURCE
- 0x20000000L
The SID identifies a domain-local group.
- SE_GROUP_USE_FOR_DENY_ONLY
- 0x00000010L
The SID is a deny-only SID in a restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID; it ignores access-allowed ACEs for the SID.
If this attribute is set, SE_GROUP_ENABLED is not set, and the SID cannot be reenabled.
- RestrictedSidCount
-
Number of restricted SIDs.
- RestrictedSidLength
-
Length, in bytes, required to hold all of the restricted SIDs.
- RestrictedSids
-
A pointer to an array of SID_AND_ATTRIBUTES structures that contain a set of restricted SIDs and corresponding attributes.
The Attributes members of the SID_AND_ATTRIBUTES structures can have the same values as those listed for the preceding Sids member.
- PrivilegeCount
-
Number of privileges.
- PrivilegeLength
-
Length, in bytes, needed to hold the privilege array.
- Privileges
-
Array of privileges.
- AuthenticationId
-
Locally unique identifier (LUID) of the authenticator of the token.
Requirements
|
Minimum supported client |
Windows XP [desktop apps only] |
|---|---|
|
Minimum supported server |
Windows Server 2003 [desktop apps only] |
|
Header |
|
See also
- AdjustTokenGroups
- CreateRestrictedToken
- SID_AND_ATTRIBUTES
- TOKEN_CONTROL
- TOKEN_DEFAULT_DACL
- TOKEN_INFORMATION_CLASS
- TOKEN_OWNER
- TOKEN_PRIMARY_GROUP
- TOKEN_PRIVILEGES
- TOKEN_SOURCE
- TOKEN_STATISTICS
- TOKEN_TYPE
- TOKEN_USER