A Short Introduction to Access Tokens

Windows NT uses an object called an access token to let the OS associate a user's authorization data (the user's rights and group memberships) with any process or thread that's started on the user's behalf. Access tokens are bound to a user logon session, and every machine a user logs on to generates an access token for that user independently of the logon type (e.g., interactive, network). During a user's logon session, the OS links the access token to every process or thread started for the user. An access token is always local to a machine and never travels across the network. The Local Security Authority (LSA) is the OS component that generates access tokens.

Access tokens comprise an important element of the access-control process. When a user tries to access a secured object (i.e., an object that has an ACL) or tries to perform a particular system task (e.g., reset the system time), the OS will compare the contents of the access token with the content of an object's ACL or to the type of system task the user tries to perform. Based on the outcome of the comparison process, the OS will decide whether the user can access the object or perform the system task.

In addition to a user's domain authorization data (held in the domain security database), an access token also contains the user's local authorization data (held in a machine's local security database). You can find a complete overview of access-token fields in the security section of the Microsoft Developer Network (MSDN) Library (http://msdn.microsoft.com/library).