NT Gatekeeper--Examining Users’ Access Tokens

In Windows NT 4.0, a user's access-control information resides in an object called the access token. User access-control data includes a user's group memberships and user rights. When I troubleshoot access-control problems, I want to view the content of a user's access token to detect, for example, group-membership problems. How can I look at the content of a user's access token? Does Microsoft or a third party provide a tool that will let me view a user's access-token data, or will I need to develop one?

First, for more information about access tokens, read the sidebar "A Short Introduction to Access Tokens." You can use two command-line tools to look at access-token content: the Whoami (whoami.exe) tool and the Mytoken (mytoken.exe) tool. You can get the code for mytoken .exe from the Windows Platform software development kit (SDK). You can download a compiled version of mytoken.exe from the Code Library on the Security Administrator Web site (http://www .secadministrator.com).

Whoami comes with the Microsoft Windows NT Server 4.0 Resource Kit but in a version that doesn't provide the access-token functionality you need. Microsoft's first release of whoami.exe can return only the user's logon name. A more advanced version of the tool, which comes with the Microsoft Windows 2000 Server Resource Kit, includes the /all switch that, in addition to the user's logon name, displays the user's group memberships and user rights. The /user switch returns only the logon name, the /groups switch only the group memberships, and the /priv switch only the user rights. Figure 2 shows Whoami's output when you use it with the /all switch.

Mytoken—whose output Figure 3 shows—provides more information than Whoami provides. Mytoken.exe, for example, shows the user's primary group, the token type, and the logon session SID.