[This is preliminary documentation and subject to change.]
The TOKEN_GROUPS structure contains information about the group SIDs in an access token.
typedef struct _TOKEN_GROUPS { // tg
DWORD GroupCount;
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY];
} TOKEN_GROUPS;
The Attributes members of the SID_AND_ATTRIBUTES structures can have the following attributes.
| Value | Meaning |
|---|---|
| SE_GROUP_MANDATORY | The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID. |
| SE_GROUP_ENABLED_BY_DEFAULT | The SID is enabled by default. |
| SE_GROUP_ENABLED | The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied ACEs that apply to the SID. A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set. |
| SE_GROUP_OWNER | The SID identifies a group account for which the token's user is the owner of the group; or the SID can be assigned as the owner of the token or objects. |
| SE_GROUP_USE_FOR_DENY_ONLY | Windows NT 5.0 and later: The SID is deny-only in a restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID, but ignores access-allowed ACEs for the SID. If this attribute is set, the SE_GROUP_ENABLED is not set, and the SID cannot be re-enabled. |
| SE_GROUP_LOGON_ID | The SID is a logon SID that identifies the logon session associated with an access token. |
Windows NT: Requires version 3.1 or later.
Windows: Unsupported.
Windows CE: Unsupported.
Header: Declared in winnt.h.
Access Control Overview, Access Control Structures, AdjustTokenGroups, SID_AND_ATTRIBUTES, TOKEN_CONTROL, TOKEN_DEFAULT_DACL, TOKEN_INFORMATION_CLASS, TOKEN_OWNER, TOKEN_PRIMARY_GROUP, TOKEN_PRIVILEGES, TOKEN_SOURCE, TOKEN_STATISTICS, TOKEN_TYPE, TOKEN_USER