Access Tokens Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Access Tokens Tools and Settings
In this section
Access Tokens Tools
Access Tokens Registry Entries
Access Tokens Group Policy Settings
Access Tokens WMI Classes
Access Tokens Tools
The following tools are associated with access tokens.
Dsa.msc: Active Directory Users and Computers
Category
Active Directory Users and Computers is a Microsoft Management Console (MMC) snap-in that is installed automatically when you install Active Directory. This tool also ships with the Administration Tools Pack (Adminpak.msi).
You can access the tool from the Start menu: Click Start, then click Programs,then click Administrative Tools,and then click Active Directory Users and Computers.
Version Compatibility
Active Directory Users and Computers runs on domain controllers that are running Windows Server 2003 and Windows 2000. In both of these server systems, MMC provides a window in the user interface where you can add, configure, and control items. Active Directory Users and Computers is the MMC snap-in that you can use to administer and publish information in the directory.
The Windows Server 2003 version of Active Directory Users and Computers can target domain controllers that are running Windows Server 2003 or Windows 2000.
On administrative workstations that are running Windows XP Professional or Windows 2000, you can install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) from the i386 directory on the Windows Server 2003 CD. This version of the Administration Tools Pack encrypts and signs LDAP traffic between the administrative tool clients and domain controllers.
Note
- You cannot run the Microsoft Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional, Windows XP Home Edition, or Windows XP 64-Bit Edition Version 2003 without Windows XP Service Pack 1 (SP1).
You can manage the following objects and their associated properties with this tool, which in turn will affect access tokens created for these objects.
Active Directory Users and Computers Object Management
| Object Type | Changes That Affect Access Tokens |
|---|---|
User objects |
Configure user or service account for delegation. |
Computer objects |
Configure computer account for delegation. This will affect services running under the local System account. |
To find more information about Active Directory Users and Computers, see Windows Server 2003 Tools Help in the Tools and Settings Collection.
Ntrights.exe: Ntrights
Category
Ntrights is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.
Version compatibility
Ntrights is supported for Windows Server 2003, Windows XP Professional, and Windows 2000.
Ntrights is a command-line tool that enables you to assign or revoke a right for a user or group of users on a local or remote computer. You can also place an entry that notes the change in the event log of the computer.
Ntrights is useful in unattended or automated installations during which you might want to change the default rights. You can also use the tool in situations where you need to change a right in an existing installation, but you cannot access and log on to all computers.
To find more information about Ntrights, see Windows Server 2003 Resource Kit Tools Help in the Tools and Settings Collection.
Services.msc: Services
Category
Services is a Microsoft Management Console (MMC) snap-in that is automatically installed when you install Windows Server 2003. There are two ways to access the tool:
- Click Start, then click Programs,then click Administrative Tools,and then click Services.
Or,
- Right-click My Computer, and then click Manage.
Version compatibility
Services runs on systems that are running Windows Server 2003, Windows XP, and Windows 2000.
Services can configure the security context of services that impact access tokens. Services affects access tokens when you use it to:
Manage the services on your computer.
Set up recovery actions to take place if a service fails.
Create custom names and descriptions for services so you can easily identify them.
To find more information about Services, see Windows Server 2003 Tools Help in the Tools and Settings Collection.
Showpriv.exe: Show Privilege
Category
Show Privilege is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.
Version Compatibility
Show Privilege is supported for Windows Server 2003, Windows XP Professional, and Windows 2000.
Show Privilege is a command-line tool that displays the rights assigned to users and groups. The tool must be run locally on the target computer. To display users and groups that have domain privileges, Show Privilege must be run on a domain controller. The following table shows the privileges specific to access tokens.
Access Token Privileges
| Privilege Name | Equivalent Security Policy User Right Setting | Description |
|---|---|---|
SeCreateTokenPrivilege |
Create a token object |
Allows a process to create an access token. |
SeAssignPrimaryTokenPrivilege |
Replace a process-level token |
Allows a process that has this privilege to replace the access token associated with a process. |
SeImpersonatePrivilege |
Impersonate a client after authentication |
Allows a process to impersonate. |
To find more information about Show Privilege, see Windows Server 2003 Resource Kit Tools Help in the Tools and Settings Collection.
Whoami.exe: Whoami
Category
Whoami is a command-line tool included in the Windows Server 2003 family. The tool is also included in the Windows 2000 Resource Kit.
Version Compatibility
Whoami is supported for Windows Server 2003 and Windows 2000.
You can use this command-line tool to display the complete contents of the access token in the command window. For the current user’s security context, Whoami can display, for example:
User name and security identifier (SID)
Groups and their SIDs
Privileges and their status (for example, enabled or disabled)
Logon ID
To find more information about Services, see Windows Server 2003 Tools Help in the Tools and Settings Collection.
Access Tokens Registry Entries
The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as MMC to accomplish tasks. If you must edit the registry, use extreme caution.
The following registry settings that affect access tokens cannot be modified by using Group Policy or other Windows tools.
EveryoneIncludesAnonymous
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
Version compatibility
EveryoneIncludesAnonymous is supported for Windows Server?2003 and Windows XP.
This registry setting controls whether the Everyone SID is included in the access token generated for an anonymous user.
EveryoneIncludesAnonymous Settings
| Setting | Effect |
|---|---|
0 |
(default) Do not include the Everyone SID in the access token generated for an anonymous user. |
1 |
Include the Everyone SID in the access token generated for an anonymous user. |
RestrictAnonymous
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
Version compatibility
RestrictAnonymous is supported for Windows Server 2003, Windows XP, and Windows 2000.
This registry setting restricts anonymous users from displaying lists of users, and from viewing security permissions.
RestrictAnonymous Settings
| Setting | Effect |
|---|---|
0 |
(default) Anonymous users are not restricted. Rely on default permissions. |
1 |
Do not allow enumeration of Security Accounts Manager (SAM) accounts and shares. |
2 |
In Windows 2000, do not include the Everyone SID in the access token generated for an Anonymous user. Not supported in Windows Server 2003. |
Results of Anonymous User Settings
Anonymous User: Windows 2000
| Restrict Anonymous Setting | Can Enumerate Local SAM Accounts and Shares? | Can Access Other Securable Objects If: |
|---|---|---|
0 |
Yes |
Anonymous or Everyone is granted access by the object’s access control list (ACL). |
1 |
No |
Anonymous or Everyone is granted access by the object’s ACL. |
2 |
No |
Anonymous is explicitly granted access by the object’s ACL. |
Anonymous User: Windows Server 2003 and Windows XP
| Restrict Anonymous Setting | EveryoneIncludesAnonymous Setting | Can Enumerate Local SAM Accounts and Shares? | Can Access Other Securable Objects If: |
|---|---|---|---|
0 |
0 |
Yes |
Anonymous is explicitly granted access by the object’s ACL. |
0 |
1 |
Yes |
Anonymous or Everyone is granted access by the object’s ACL. |
1 |
0 |
No |
Anonymous is explicitly granted access by the object’s ACL. |
1 |
1 |
No |
Anonymous or Everyone is granted access by the object’s ACL. |
Effects of Anonymous User Settings Entered in a Domain Controller’s Registry
Ability of anonymous users to enumerate account information
There is no local SAM on a domain controller. Thus, RestrictAnonymous does not control the ability of anonymous users to enumerate account information. Instead, access to account information is controlled by ACLs on account objects in Active Directory.
Ability of anonymous users to enumerate shared resources
Anonymous users will not be able to enumerate shared resources or pipes if RestrictAnonymous is set to equal 1.
Ability of Anonymous Users to Access Active Directory Data on Windows 2000 Domain Controllers
| Restrict Anonymous Setting | Pre-Windows 2000 Compatible Access Security Group Membership | Access to Any Active Directory Data |
|---|---|---|
0 or 1 |
No |
No |
0 or 1 |
Yes |
Yes, if Everyone is a member of this group. |
2 |
No |
No |
2 |
Yes |
No |
2 |
Yes, Anonymous must be explicitly a member. |
Yes |
Ability of Anonymous Users to Access Active Directory Data on Windows Server 2003 Domain Controllers
| EveryoneIncludesAnonymous Setting | Pre-Windows 2000 Compatible Access Security Group Membership | Access to Any Active Directory Data |
|---|---|---|
0 |
No |
No |
0 |
Yes |
Yes, if Anonymous is also a member of this group. |
1 |
Yes |
Yes, even if Anonymous is not a member of this group as long as Everyone is a member of this group. |
Note
- Both Everyone and Anonymous are members of Pre-Windows 2000 Compatible Access group by default in Windows Server 2003.
Access Tokens Group Policy Settings
The following table lists and describes the Group Policy settings that are associated with access tokens.
Group Policy Settings Associated with Access Tokens
| Group Policy Setting | Description |
|---|---|
User Rights Assignment:
|
Changes to these settings control:
|
Audit Policy:
|
Changes to this setting will:
|
Security Options:
|
Changes to this setting will affect whether Everyone is in the token for anonymous users. |
For more information about these Group Policy settings, see Account Policy Settings.
Access Tokens WMI Classes
The following table lists and describes the Windows Management Information (WMI) classes that are associated with access tokens. These WMI classes are shipped with Windows Server 2003.
WMI Classes Associated with Access Tokens
| Class Name | Namespace | Version Compatibility |
|---|---|---|
Win32_TokenGroups |
\root\cimv2 |
Windows Server 2003 Windows XP |
Win32_TokenPrivileges |
\root\cimv2 |
Windows Server 2003 Windows XP |
For more information about these WMI classes, see the WMI reference in the SDK documentation on MSDN.