| Platform SDK: DLLs, Processes, and Threads |
The JOBOBJECT_SECURITY_LIMIT_INFORMATION structure contains the security limitations for a job object.
typedef struct _JOBOBJECT_SECURITY_LIMIT_INFORMATION {
DWORD SecurityLimitFlags ;
HANDLE JobToken ;
PTOKEN_GROUPS SidsToDisable ;
PTOKEN_PRIVILEGES PrivilegesToDelete ;
PTOKEN_GROUPS RestrictedSids ;
} JOBOBJECT_SECURITY_LIMIT_INFORMATION, *PJOBOBJECT_SECURITY_LIMIT_INFORMATION ;
| Value | Meaning |
|---|---|
| JOB_OBJECT_SECURITY_NO_ADMIN | Prevents any process in the job from using a token that specifies the local administrators group. |
| JOB_OBJECT_SECURITY_RESTRICTED_TOKEN | Prevents any process in the job from using a token that was not created with the CreateRestrictedToken function. |
| JOB_OBJECT_SECURITY_ONLY_TOKEN | Forces processes in the job to run under a specific token. Requires a token handle in the JobToken member. |
| JOB_OBJECT_SECURITY_FILTER_TOKENS | Applies a filter to the token when a process impersonates a client. Requires at least one of the following members to be set: SidsToDisable, PrivilegesToDelete, or RestrictedSids. |
If the token was created with CreateRestrictedToken, all processes in the job are limited to that token or a further restricted token. Otherwise, the caller must have the SE_ASSIGNPRIMARYTOKEN_NAME privilege.
This member can be NULL if you do not want to disable any SIDs.
This member can be NULL if you do not want to delete any privileges.
This member can be NULL if you do not want to specify any deny-only SIDs.
After security limitations are placed on processes in a job, they cannot be revoked.
Windows NT/2000: Requires Windows 2000.
Windows 95/98: Unsupported.
Header: Declared in Winnt.h; include Windows.h.
Processes and Threads Overview, Process and Thread Structures, CreateRestrictedToken, QueryInformationJobObject, SetInformationJobObject, TOKEN_GROUPS, TOKEN_PRIVILEGES