Changing Privileges in a Token

You can change the privileges in either a primary or an impersonation token in two ways:

AdjustTokenPrivileges cannot add or remove privileges from the token. It can only enable existing privileges that are currently disabled or disable existing privileges that are currently enabled. For examples, see Enabling and Disabling Privileges in C++.

To assign privileges to a user account, see Assigning Privileges to an Account.

CreateRestrictedToken has more extensive capabilities as follows:

  • Removing a privilege. Note that removing a privilege is not the same as disabling one. After a privilege is removed from a token, it cannot be put back.
  • Attaching the deny-only attribute to SIDs in the token. This has the effect of disallowing specific groups or accounts, for example, denying the Everyone group delete access to a particular file. For more information on restricting SIDs, see SID Attributes in an Access Token.
  • Specifying a list of restricting SIDs in the token. For information about restricting SIDs, see Restricted Tokens.