Platform SDK: Access Control |
A privilege is the right of an account, such as a user or group account, to perform various system-related operations on the local computer, such as shutting down the system, loading device drivers, or changing the system time. Privileges differ from access rights in two ways:
Each Windows NT/Windows 2000 system has an account database that stores the privileges held by user and group accounts. When a user logs on, the system produces an access token that contains a list of the user's privileges, including those granted to the user or to groups to which the user belongs. Note that the privileges apply only to the local computer; a domain account can have different privileges on different computers.
When the user tries to perform a privileged operation, the system checks the user's access token to determine whether the user holds the necessary privileges, and if so, it checks whether the privileges are enabled. If the user fails these tests, the system does not perform the operation. For a table of the privileges defined by Windows NT/Windows 2000, see Windows NT Privileges.
To determine the privileges held in an access token, call the GetTokenInformation function, which also indicates which privileges are enabled. Most privileges are disabled by default.
Before you can perform a privileged operation, you must first enable the necessary privileges in your access token. To do this, call the OpenThreadToken function to get a handle to your primary or impersonation access token, then call the AdjustTokenPrivileges function to enable the necessary privileges. After performing the privileged operation, call AdjustTokenPrivileges again to disable the privileges. For sample code that enables and disables a token's privileges, see Enabling and Disabling Privileges.
The GetTokenInformation and AdjustTokenPrivileges functions use a TOKEN_PRIVILEGES structure to specify an array of privileges and their attributes. This structure contains an array of LUID_AND_ATTRIBUTES structures, each of which specifies the LUID of a privilege and a set of bit flags that indicate the attributes of the privilege, such as whether the privilege is enabled.
The Win32 API defines a set of string constants to identify the various privileges. These constants are the same on all Windows NT/Windows 2000 systems. However, the functions that get and adjust the privileges in an access token use the LUID type to identify privileges. The LUID values for a privilege can differ from one computer to another, and from one boot to another on the same computer. To get the current LUID that corresponds to one of the string constants, use the LookupPrivilegeValue function. Use the LookupPrivilegeName function to convert a LUID to its corresponding string constant.
The system provides a set of strings that describe each of the Windows NT privileges defined in Winnt.h. These are useful when you need to display a description of a privilege to the user. Use the LookupPrivilegeDisplayName function to retrieve a description string that corresponds to the string constant for a privilege. For example, on systems that use U.S. English, the display name for the SE_SYSTEMTIME_NAME privilege is "Change the system time".
You can use the PrivilegeCheck function to determine whether an access token holds a specified set of privileges. This is useful primarily to server applications that are impersonating a client.
A system administrator can use administrative tools, such as User Manager, to add or remove privileges for user and group accounts. Administrators can programmatically use the Lsa functions to work with privileges. The LsaAddAccountRights and LsaRemoveAccountRights functions add or remove privileges from an account. The LsaEnumerateAccountRights function enumerates the privileges held by a specified account. The LsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a specified privilege.