Edit

Share via

TOKEN_GROUPS_AND_PRIVILEGES structure (winnt.h)

  • Article

The TOKEN_GROUPS_AND_PRIVILEGES structure contains information about the group security identifiers (SIDs) and privileges in an access token.

Syntax

typedef struct _TOKEN_GROUPS_AND_PRIVILEGES {
  DWORD                SidCount;
  DWORD                SidLength;
  PSID_AND_ATTRIBUTES  Sids;
  DWORD                RestrictedSidCount;
  DWORD                RestrictedSidLength;
  PSID_AND_ATTRIBUTES  RestrictedSids;
  DWORD                PrivilegeCount;
  DWORD                PrivilegeLength;
  PLUID_AND_ATTRIBUTES Privileges;
  LUID                 AuthenticationId;
} TOKEN_GROUPS_AND_PRIVILEGES, *PTOKEN_GROUPS_AND_PRIVILEGES;

Members

SidCount

Number of SIDs in the access token.

SidLength

Length, in bytes, required to hold all of the user SIDs and the account SID for the group.

Sids

A pointer to an array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes.

The Attributes members of the SID_AND_ATTRIBUTES structures can have the following values.

Value Meaning
SE_GROUP_ENABLED
0x00000004L
 The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to the SID.

A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set.
SE_GROUP_ENABLED_BY_DEFAULT
0x00000002L
 The SID is enabled by default.
SE_GROUP_INTEGRITY
0x00000020L
 The SID is a mandatory integrity SID.

Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP:  This value is not supported.
SE_GROUP_INTEGRITY_ENABLED
0x00000040L
 The mandatory integrity SID is evaluated during access check.

Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP:  This value is not supported.
SE_GROUP_LOGON_ID
0xC0000000L
 The SID is a logon SID that identifies the logon session associated with an access token.
SE_GROUP_MANDATORY
0x00000001L
 The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID.
SE_GROUP_OWNER
0x00000008L
 The SID identifies a group account for which the user of the token is the owner of the group, or the SID can be assigned as the owner of the token or objects.
SE_GROUP_RESOURCE
0x20000000L
 The SID identifies a domain-local group.
SE_GROUP_USE_FOR_DENY_ONLY
0x00000010L
 The SID is a deny-only SID in a restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID; it ignores access-allowed ACEs for the SID.

If this attribute is set, SE_GROUP_ENABLED is not set, and the SID cannot be reenabled.

RestrictedSidCount

Number of restricted SIDs.

RestrictedSidLength

Length, in bytes, required to hold all of the restricted SIDs.

RestrictedSids

A pointer to an array of SID_AND_ATTRIBUTES structures that contain a set of restricted SIDs and corresponding attributes.

The Attributes members of the SID_AND_ATTRIBUTES structures can have the same values as those listed for the preceding Sids member.

PrivilegeCount

Number of privileges.

PrivilegeLength

Length, in bytes, needed to hold the privilege array.

Privileges

Array of privileges.

AuthenticationId

Locally unique identifier (LUID) of the authenticator of the token.

Requirements

Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Header winnt.h (include Windows.h)

See also

AdjustTokenGroups

CreateRestrictedToken

SID_AND_ATTRIBUTES

TOKEN_CONTROL

TOKEN_DEFAULT_DACL

TOKEN_INFORMATION_CLASS

TOKEN_OWNER

TOKEN_PRIMARY_GROUP

TOKEN_PRIVILEGES

TOKEN_SOURCE

TOKEN_STATISTICS

TOKEN_TYPE

TOKEN_USER