Access Rights for Access-Token Objects

Windows NT provides security support that enables you to control access to access-token objects. To get or set the security descriptor for an access token, call the SetKernelObjectSecurity and GetKernelObjectSecurity functions.

When you call the OpenProcessToken or OpenThreadToken function to get a handle to an access token, Windows NT checks the requested access rights against the DACL in the token's security descriptor.

The following are valid access rights for access token objects:

Value Meaning
TOKEN_ADJUST_DEFAULT Required to change the default owner, primary group, or DACL of an access token.
TOKEN_ADJUST_GROUPS Required to adjust the attributes of the groups in an access token.
TOKEN_ADJUST_PRIVILEGES Required to enable or disable the privileges in an access token.
TOKEN_ASSIGN_PRIMARY Required to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task.
TOKEN_DUPLICATE Required to duplicate an access token.
TOKEN_EXECUTE Combines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE.
TOKEN_IMPERSONATE Required to attach an impersonation access token to a process.
TOKEN_QUERY Required to query an access token.
TOKEN_QUERY_SOURCE Required to query the source of an access token.
TOKEN_READ Combines STANDARD_RIGHTS_READ and TOKEN_QUERY.
TOKEN_WRITE Combines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT.
TOKEN_ALL_ACCESS Combines all possible access rights for a token.