WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Create a token object

Create a token object

Note: This is an admin-equivalent right.

AKA: SeCreateTokenPrivilege, Create a token object

Default assignment: Local System (This default assignment does not show up in Local Security Policy. It is implicit.)

This extremely powerful right allows the process to create an access token such as with NtCreateToken() or other token-creation APIs. An access token is what Windows uses to keep track of what account a process is running as, to what groups that account belongs and what privileges are held.

Some research indicates that simply creating the token however does not allow you to assume the identity or leverage group memberships or privileges defined by the token; you must be able to assign the token to process which requires Replace a process level token. Nevertheless, no account should have this right except some server applications that perform authentication.

This right first appeared in SP4 for Windows 2000.

Upcoming Webinars

The Advantages and Limitations of MFA: A Look into Common Bypass Techniques and Security Counter Measures

Additional Resources

User Rights In-Depth

•	Access from Network
•	Act as OS
•	Add Workstations
•	Adjust Memory Quotas
•	Allow log on locally
•	Allow Terminal Services logon
•	Backup Files & Directories
•	Bypass traverse checking
•	Change the system time
•	Create a pagefile
•	Create a token object
•	Create global objects
•	Permanent shared objects
•	Debug programs
•	Deny network access
•	Deny logon as a batch job
•	Deny logon as a service
•	Deny logon locally
•	Deny Terminal Services logon
•	Enable trusted for delegation
•	Force shutdown remotely
•	Generate security audits
•	Impersonate a client
•	Increase scheduling priority
•	Load and unload device drivers
•	Lock pages in memory
•	Log on as a batch job
•	Log on as a service
•	Manage auditing and security log
•	Modify firmware values
•	Volume maintenance
•	Profile single process
•	Profile system performance
•	Remove from docking station
•	Replace process level token
•	Restore files and directories
•	Shut down the system
•	Sync directory service data
•	Take ownership of files & objects

User name:
Password:
	/ Forgot?
	Register

May 2024 Patch Tuesday	"Patch Tuesday - A few zero days and a fix introduced by last months patches " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.