Windows NT provides security support that enables you to control access to access-token objects. To get or set the security descriptor for an access token, call the SetKernelObjectSecurity and GetKernelObjectSecurity functions.
When you call the OpenProcessToken or OpenThreadToken function to get a handle to an access token, Windows NT checks the requested access rights against the DACL in the token's security descriptor.
The following are valid access rights for access token objects:
| Value | Meaning |
|---|---|
| TOKEN_ADJUST_DEFAULT | Required to change the default owner, primary group, or DACL of an access token. |
| TOKEN_ADJUST_GROUPS | Required to adjust the attributes of the groups in an access token. |
| TOKEN_ADJUST_PRIVILEGES | Required to enable or disable the privileges in an access token. |
| TOKEN_ASSIGN_PRIMARY | Required to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task. |
| TOKEN_DUPLICATE | Required to duplicate an access token. |
| TOKEN_EXECUTE | Combines STANDARD_RIGHTS_EXECUTE and TOKEN_IMPERSONATE. |
| TOKEN_IMPERSONATE | Required to attach an impersonation access token to a process. |
| TOKEN_QUERY | Required to query an access token. |
| TOKEN_QUERY_SOURCE | Required to query the source of an access token. |
| TOKEN_READ | Combines STANDARD_RIGHTS_READ and TOKEN_QUERY. |
| TOKEN_WRITE | Combines STANDARD_RIGHTS_WRITE, TOKEN_ADJUST_PRIVILEGES, TOKEN_ADJUST_GROUPS, and TOKEN_ADJUST_DEFAULT. |
| TOKEN_ALL_ACCESS | Combines all possible access rights for a token. |