Share via

CAccessToken::CreateRestrictedToken

  • Article

Call this method to create a new, restricted CAccessToken object.

bool CreateRestrictedToken( 
   CAccessToken* pRestrictedToken, 
   const CTokenGroups& SidsToDisable, 
   const CTokenGroups& SidsToRestrict, 
   const CTokenPrivileges& PrivilegesToDelete = CTokenPrivileges( ) 
) const throw(...);

Parameters

  • pRestrictedToken
    The new, restricted CAccessToken object.

  • SidsToDisable
    A CTokenGroups object that specifies the deny-only SIDs.

  • SidsToRestrict
    A CTokenGroups object that specifies the restricting SIDs.

  • PrivilegesToDelete
    A CTokenPrivileges object that specifies the privileges to delete in the restricted token. The default creates an empty object.

Return Value

Returns true on success, false on failure.

Remarks

CreateRestrictedToken uses the CreateRestrictedToken Win32 function to create a new CAccessToken object, with restrictions.

Note

This method is only available on Windows 2000 or later.

Security noteSecurity Note

When using CreateRestrictedToken, ensure the following: the existing token is valid (and not entered by the user) and SidsToDisable and PrivilegesToDelete are both valid (and not entered by the user). If the method returns false, deny functionality.

Requirements

Header: atlsecurity.h

See Also

Reference

CAccessToken Class

CAccessToken::CreatePrimaryToken

CAccessToken::CreateImpersonationToken