Access Tokens

An access token is a protected object that contains information about the identity and privileges associated with a user account. When a user logs on interactively or tries to make a network connection to a computer running Windows 2000, the logon process authenticates the user's logon credentials. If authentication is successful, the logon process returns a SID for the user and a list of SIDs for the user's security groups. The Local Security Authority (LSA) on the computer uses this information to create an access token, which includes the SIDs returned by the logon process as well as a list of privileges assigned by local security policy to the user and to the user's security groups. A copy of the access token is attached to every process and thread that executes on the user's behalf. Whenever a thread interacts with a securable object or tries to perform a system task that requires privileges, the operating system checks the access token associated with the thread to determine its level of authorization.