WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Create a token object

Create a token object

Note: This is an admin-equivalent right.

AKA: SeCreateTokenPrivilege, Create a token object

Default assignment: Local System (This default assignment does not show up in Local Security Policy. It is implicit.)

This extremely powerful right allows the process to create an access token such as with NtCreateToken() or other token-creation APIs. An access token is what Windows uses to keep track of what account a process is running as, to what groups that account belongs and what privileges are held. 

Some research indicates that simply creating the token however does not allow you to assume the identity or leverage group memberships or privileges defined by the token; you must be able to assign the token to process which requires Replace a process level token. Nevertheless, no account should have this right except some server applications that perform authentication.

This right first appeared in SP4 for Windows 2000.

Back to top


Additional Resources