Platform SDK: Access Control

Restricted Tokens

A restricted token is a primary or impersonation access token that has been modified by the CreateRestrictedToken function. A process or impersonating thread running in the security context of a restricted token is restricted in its ability to access securable objects or perform privileged operations. CreateRestrictedToken can restrict a token in the following ways:

The system uses the list of restricting SIDs when it checks the token's access to a securable object. When a restricted process or thread tries to access a securable object, the system performs two access checks: one using the token's enabled SIDs, and another using the list of restricting SIDs. Access is granted only if both access checks allow the requested access rights. For more information about access checks, see How DACLs Control Access to an Object.

You can use a restricted primary token in a call to the CreateProcessAsUser function. Typically, the process that calls CreateProcessAsUser must have the SE_ASSIGNPRIMARYTOKEN_NAME privilege, which is usually held only by system code or by services running in the LocalSystem account. However, if the CreateProcessAsUser call specifies a restricted version of the caller's primary token, this privilege is not required. This enables ordinary applications to create restricted processes.

You can also use a restricted primary or impersonation token in the ImpersonateLoggedOnUser function.

To determine whether a token has a list of restricting SIDs, call the IsTokenRestricted function.