Contents of an Access Token

An access token contains a complete description of the security context for a process or thread, including the following information:

User    The SID for the user's account. If the user logs on to an account on the local computer, the user's SID is taken from the account database maintained by the local SAM. If the user logs on to a domain account, the SID is taken from the Object-SID property of the User object in Active Directory.

Groups    A list of SIDs for security groups that include the user. The list also includes SIDs from the SID-History property of the User object representing the user's account in Active Directory.

Privileges    A list of privileges held on the local computer by the user and by the user's security groups.

Owner    The SID for the user or security group who, by default, becomes the owner of any object that the user either creates or takes ownership of.

Primary Group    The SID for the user's primary security group. This information is used only by the POSIX subsystem and is ignored by the rest of Windows 2000.

Default Discretionary Access Control List (DACL)    A built-in set of permissions that the operating system applies to objects created by the user if no other access control information is available. The default DACL grants Full Control to Creator Owner and System. For more information about the defaulting of access control information for new objects, see "DACLs for New Objects" later in this chapter.

Source    The process that caused the access token to be created, such as Session Manager, LAN Manager, or Remote Procedure Call (RPC) Server.

Type    A value indicating whether the access token is a primary or impersonation token. A primary token is an access token that represents the security context of a process. An impersonation token is an access token that a thread within a service process can use to temporarily adopt a different security context, such as the security context for a client of the service.

Impersonation Level    A value that indicates to what extent a service can adopt the security context of a client represented by this access token.

Statistics    Information about the access token itself. The operating system uses this information internally.

Restricting SIDs    An optional list of SIDs added to an access token by a process with authority to create a restricted token. Restricting SIDs can limit a thread's access to a level lower than what the user is allowed.

Session ID    A value that indicates whether the access token is associated with the Terminal Services client session.