Impersonation Tokens

An impersonating thread has two access tokens:

• A primary access token that describes the security context of the server. To get a handle to this token, call the OpenProcessToken function.
• An impersonation access token that describes the security context of the client being impersonated. To get a handle to this token, call the OpenThreadToken function.

A server can use the impersonation token in the following functions:

• In the AccessCheck, AccessCheckByType, and AccessCheckByTypeResultList functions to determine whether a security descriptor allows the client a set of access rights.
• In the AdjustTokenPrivileges function to enable or disable the client's privileges.
• In the PrivilegeCheck function to determine whether a set of privileges are enabled in the client's token.
• In functions that generate entries in the security event log, such as ObjectOpenAuditAlarm or PrivilegedServiceAuditAlarm. These functions use an impersonation token to get information about the client for the log entry.