What Are Access Tokens?
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
What Are Access Tokens?
In this section
An access token is a protected object that contains information about the identity and privileges associated with a user account.
When a user logs on interactively or tries to make a network connection to a computer running Windows, the logon process authenticates the user’s logon credentials. If authentication is successful, the logon process returns a security identifier (SID) for the user and a list of SIDs for the user’s security groups. The Local Security Authority (LSA) on the computer uses this information to create an access token — in this case, the primary access token — that includes the SIDs returned by the logon process as well as a list of privileges assigned by local security policy to the user and to the users security groups.
After LSA creates the primary access token, a copy of the access token is attached to every process and thread that executes on the user’s behalf. Whenever a thread or process interacts with a securable object or tries to perform a system task that requires privileges, the operating system checks the access token associated with the thread to determine the level of authorization for the thread.
There are two kinds of access tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account associated with the process. A primary access token is typically assigned to a process to represent the default security information for that process. Impersonation tokens, on the other hand, are usually used for client/server scenarios. Impersonation tokens enable a thread to execute in a security context that differs from the security context of the process that owns the thread.
Technologies Related to Access Tokens
Access tokens are closely related to the following technologies.
Other authorization and access control components
Access tokens contain account and group SIDs as well as privileges for the account. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are granted to these accounts and groups:
Security principals. Security principals include users or groups with either local or domain accounts, and computer accounts created when a computer running Windows NT, Windows 2000, Windows XP, or a member of the Windows Server 2003 family joins a domain. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principals.
Security identifiers (SIDs). Every account and group is automatically assigned a security identifier (SID) when the account or group is created.
Security descriptors and access control lists (ACLs). A security descriptor is associated with each securable object. If permissions are configured for an object, the object’s security descriptor contains a discretionary access control list (DACL), with SIDs for the user’s and groups that are allowed or denied access.
User rights and permissions. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principals. When a system task that requires privileges is attempted, the operating system checks the access token associated with the thread or process to determine the level of authorization for that thread or process.
A user account enables a user to log on to computers and domains with an identity that can be authenticated by the computer or domain.
Accounts and groups that are created in an Active Directory domain are stored in the Active Directory database and managed using Active Directory tools.
User rights can be assigned to Active Directory groups through Group Policy. Password and Account Lockout policy can be assigned to users through Group Policy.
The diagram below shows the relationship of access tokens to other authorization and access control components.
Relationship of Access Tokens to Other Authorization and Access Control Components
The following resource contains additional information that is relevant to this section.