Platform SDK: Access Control

TOKEN_GROUPS

The TOKEN_GROUPS structure contains information about the group SIDs in an access token.

typedef struct _TOKEN_GROUPS { 
  DWORD GroupCount; 
  SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; 
} TOKEN_GROUPS, *PTOKEN_GROUPS; 

Members

GroupCount
Specifies the number of groups in the access token.
Groups
Specifies an array of SID_AND_ATTRIBUTES structures containing a set of SIDs and corresponding attributes.

The Attributes members of the SID_AND_ATTRIBUTES structures can have the following attributes.
Value Meaning
SE_GROUP_ENABLED The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied ACEs that apply to the SID.

A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set.

SE_GROUP_ENABLED_BY_DEFAULT The SID is enabled by default.
SE_GROUP_LOGON_ID The SID is a logon SID that identifies the logon session associated with an access token.
SE_GROUP_MANDATORY The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID.
SE_GROUP_OWNER The SID identifies a group account for which the token's user is the owner of the group; or the SID can be assigned as the owner of the token or objects.
SE_GROUP_RESOURCE Windows 2000: The SID identifies a domain local group.
SE_GROUP_USE_FOR_DENY_ONLY Windows 2000: The SID is deny-only in a restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID, but ignores access-allowed ACEs for the SID.

If this attribute is set, the SE_GROUP_ENABLED is not set, and the SID cannot be re-enabled.


Requirements

  Windows NT/2000: Requires Windows NT 3.1 or later.
  Header: Declared in Winnt.h; include Windows.h.

See Also

Access Control Overview, Access Control Structures, AdjustTokenGroups, SID_AND_ATTRIBUTES, TOKEN_CONTROL, TOKEN_DEFAULT_DACL, TOKEN_INFORMATION_CLASS, TOKEN_OWNER, TOKEN_PRIMARY_GROUP, TOKEN_PRIVILEGES, TOKEN_SOURCE, TOKEN_STATISTICS, TOKEN_TYPE, TOKEN_USER