TOKEN_GROUPS structure (winnt.h)

The TOKEN_GROUPS structure contains information about the group security identifiers (SIDs) in an access token.

Syntax

typedef struct _TOKEN_GROUPS {
  DWORD              GroupCount;
#if ...
  SID_AND_ATTRIBUTES *Groups[];
#else
  SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY];
#endif
} TOKEN_GROUPS, *PTOKEN_GROUPS;

Members

GroupCount

Specifies the number of groups in the access token.

Groups[*]

Specifies an array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes.

The Attributes members of the SID_AND_ATTRIBUTES structures can have the following values.

Value Meaning
SE_GROUP_ENABLED
0x00000004L
The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to the SID.

A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set.

SE_GROUP_ENABLED_BY_DEFAULT
0x00000002L
The SID is enabled by default.
SE_GROUP_INTEGRITY
0x00000020L
The SID is a mandatory integrity SID.
SE_GROUP_INTEGRITY_ENABLED
0x00000040L
The SID is enabled for mandatory integrity checks.
SE_GROUP_LOGON_ID
0xC0000000L
The SID is a logon SID that identifies the logon session associated with an access token.
SE_GROUP_MANDATORY
0x00000001L
The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID.
SE_GROUP_OWNER
0x00000008L
The SID identifies a group account for which the user of the token is the owner of the group, or the SID can be assigned as the owner of the token or objects.
SE_GROUP_RESOURCE
0x20000000L
The SID identifies a domain-local group.
SE_GROUP_USE_FOR_DENY_ONLY
0x00000010L
The SID is a deny-only SID in a restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID; it ignores access-allowed ACEs for the SID.

If this attribute is set, SE_GROUP_ENABLED is not set, and the SID cannot be reenabled.

Groups[ANYSIZE_ARRAY]

Specifies an array of SID_AND_ATTRIBUTES structures that contain a set of SIDs and corresponding attributes.

The Attributes members of the SID_AND_ATTRIBUTES structures can have the following values.

Value Meaning
SE_GROUP_ENABLED
0x00000004L
The SID is enabled for access checks. When the system performs an access check, it checks for access-allowed and access-denied access control entries (ACEs) that apply to the SID.

A SID without this attribute is ignored during an access check unless the SE_GROUP_USE_FOR_DENY_ONLY attribute is set.

SE_GROUP_ENABLED_BY_DEFAULT
0x00000002L
The SID is enabled by default.
SE_GROUP_INTEGRITY
0x00000020L
The SID is a mandatory integrity SID.
SE_GROUP_INTEGRITY_ENABLED
0x00000040L
The SID is enabled for mandatory integrity checks.
SE_GROUP_LOGON_ID
0xC0000000L
The SID is a logon SID that identifies the logon session associated with an access token.
SE_GROUP_MANDATORY
0x00000001L
The SID cannot have the SE_GROUP_ENABLED attribute cleared by a call to the AdjustTokenGroups function. However, you can use the CreateRestrictedToken function to convert a mandatory SID to a deny-only SID.
SE_GROUP_OWNER
0x00000008L
The SID identifies a group account for which the user of the token is the owner of the group, or the SID can be assigned as the owner of the token or objects.
SE_GROUP_RESOURCE
0x20000000L
The SID identifies a domain-local group.
SE_GROUP_USE_FOR_DENY_ONLY
0x00000010L
The SID is a deny-only SID in a restricted token. When the system performs an access check, it checks for access-denied ACEs that apply to the SID; it ignores access-allowed ACEs for the SID.

If this attribute is set, SE_GROUP_ENABLED is not set, and the SID cannot be reenabled.

Requirements

Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Header winnt.h (include Windows.h)

See also

AdjustTokenGroups

CreateRestrictedToken

SID_AND_ATTRIBUTES

TOKEN_CONTROL

TOKEN_DEFAULT_DACL

TOKEN_INFORMATION_CLASS

TOKEN_OWNER

TOKEN_PRIMARY_GROUP

TOKEN_PRIVILEGES

TOKEN_SOURCE

TOKEN_STATISTICS

TOKEN_TYPE

TOKEN_USER