****
*
*
*
*







*
*
                                      
*
*
Windows Server



    

What Are Access Tokens?    

*
*

*
*

What Are Access Tokens?



Jan
07

What Are Access Tokens?

http://technet.microsoft.com/en-us/library/cc759267.aspx

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

 

What Are Access Tokens?

 

An access token is a protected object that contains information about the identity and privileges associated with a user account.

When a user logs on interactively or tries to make a network connection to a computer running Windows, the logon process authenticates the user’s logon credentials. If authentication is successful, the logon process returns a security identifier (SID) for the user and a list of SIDs for the user’s security groups. The Local Security Authority (LSA) on the computer uses this information to create an access token — in this case, the primary access token — that includes the SIDs returned by the logon process as well as a list of privileges assigned by local security policy to the user and to the users security groups.

After LSA creates the primary access token, a copy of the access token is attached to every process and thread that executes on the user’s behalf. Whenever a thread or process interacts with a securable object or tries to perform a system task that requires privileges, the operating system checks the access token associated with the thread to determine the level of authorization for the thread.

There are two kinds of access tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account associated with the process. A primary access token is typically assigned to a process to represent the default security information for that process. Impersonation tokens, on the other hand, are usually used for client/server scenarios. Impersonation tokens enable a thread to execute in a security context that differs from the security context of the process that owns the thread.

Technologies Related to Access Tokens

Access tokens are closely related to the following technologies.

Other authorization and access control components

Access tokens contain account and group SIDs as well as privileges for the account. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are granted to these accounts and groups:

  • Security principals. Security principals include users or groups with either local or domain accounts, and computer accounts created when a computer running Windows NT, Windows 2000, Windows XP, or a member of the Windows Server 2003 family joins a domain. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principals.
  • Security identifiers (SIDs). Every account and group is automatically assigned a security identifier (SID) when the account or group is created.
  • Security descriptors and access control lists (ACLs). A security descriptor is associated with each securable object. If permissions are configured for an object, the object’s security descriptor contains a discretionary access control list (DACL), with SIDs for the user’s and groups that are allowed or denied access.
  • User rights and permissions. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principals. When a system task that requires privileges is attempted, the operating system checks the access token associated with the thread or process to determine the level of authorization for that thread or process. 
Authentication

A user account enables a user to log on to computers and domains with an identity that can be authenticated by the computer or domain.

Active Directory

Accounts and groups that are created in an Active Directory domain are stored in the Active Directory database and managed using Active Directory tools.

Group Policy

User rights can be assigned to Active Directory groups through Group Policy. Password and Account Lockout policy can be assigned to users through Group Policy.

The diagram below shows the relationship of access tokens to other authorization and access control components.

Relationship of Access Tokens to Other Authorization and Access Control Components

Relationship of Access Tokens to Other Authorization and Access Control Components

http://technet.microsoft.com/en-us/library/cc759267.aspx

Related Information

The following resource contains additional information that is relevant to this section.

Additional Resources related to User Login (Authentication & Authorization):

·         /thepost/system_admin/product/microsoft/windows_server/windows-server-basics/user-login/

 



No TrackBacks

TrackBack URL: http://www.skar.us/site/mt-tb.cgi/2895

Leave a comment








*
*

administrator
Author Bio          ★★★★★

Author Name:         administrator
Author Location:    India
Author Rank:          Writer
Author Status:        
The Green leave stands!!


*
*
*
*
****



*****



    Desktop
  • eBooks
  • Games
  • Softwares
  • Tools
  • Tweaks
  • Wallpapers
  • Warez
    PDA
  • Games
  • Tools
  • Wallpapers
    System Administration
  • dll Center
  • Scripts
  • Tools
  • .extensions database
  • Write-up
    more...
  • Download Database
  • Jobs
  • Lists
  • Polls
  • Glossary

01000011 01110010 01100001 01100011 01101011 01111010 01101000 01100001 01100011 01101011