Platform SDK: Access Control |
The TOKEN_GROUPS structure contains information about the group SIDs in an access token.
typedef struct _TOKEN_GROUPS { DWORD GroupCount; SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; } TOKEN_GROUPS, *PTOKEN_GROUPS;
The Attributes members of the SID_AND_ATTRIBUTES structures can have the following attributes.
Value | Meaning |
---|---|
SE_GROUP_ENABLED | The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied ACEs that apply to the SID.
A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set. |
SE_GROUP_ENABLED_BY_DEFAULT | The SID is enabled by default. |
SE_GROUP_LOGON_ID | The SID is a logon SID that identifies the logon session associated with an access token. |
SE_GROUP_MANDATORY | The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID. |
SE_GROUP_OWNER | The SID identifies a group account for which the token's user is the owner of the group; or the SID can be assigned as the owner of the token or objects. |
SE_GROUP_RESOURCE | Windows 2000: The SID identifies a domain local group. |
SE_GROUP_USE_FOR_DENY_ONLY | Windows 2000: The SID is deny-only in a restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID, but ignores access-allowed ACEs for the SID.
If this attribute is set, the SE_GROUP_ENABLED is not set, and the SID cannot be re-enabled. |
Windows NT/2000: Requires Windows NT 3.1 or later.
Header: Declared in Winnt.h; include Windows.h.
Access Control Overview, Access Control Structures, AdjustTokenGroups, SID_AND_ATTRIBUTES, TOKEN_CONTROL, TOKEN_DEFAULT_DACL, TOKEN_INFORMATION_CLASS, TOKEN_OWNER, TOKEN_PRIMARY_GROUP, TOKEN_PRIVILEGES, TOKEN_SOURCE, TOKEN_STATISTICS, TOKEN_TYPE, TOKEN_USER