Tech Line

Access Token Commotion

What's really in that access token?

Chris: I have a general idea of what the access token does, but really don't know exactly what's in it. Can you give me more details?

James, you're not alone in having a basic understanding of access tokens. Many administrators see access tokens as the reason why users have to log off and then log back on after their group membership has changed. Beyond that, most administrators that I have run into understand that the access token contains a user's group memberships and thus allows the user to traverse domain resources with a single login. This is because the access token contains the Security ID (SID) or the user object and the SID of every group in which the user is a member.

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the editors at; the best questions get answered in this column and garner the questioner with a nifty baseball-style cap.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

After logon, every process and thread that executes using the user's privileges will contain the access token. This allows the process to access network resources on the user's behalf without having to supply the user's credentials. Since the access token is created at the time a user logs on, the only way to refresh it is to log off and then log back on again.

There are several very well written articles produced by Microsoft that offer the detail that you are looking for.

One of the very best articles written on Access Tokens is "Addressing Problems Due to Access Token Limitation." While lengthy (43 pages), it is far and away the most thorough online Access Token reference. This will probably answer all of your access token questions, and then some.

If you're up for a lighter read on Access Tokens, try the "Access Token Technical Reference." This is just a few pages in length, but provides a very concise overview of how Access Tokens operate.

If you're looking for a great tool for troubleshooting Access Tokens and privilege use, give Tokenmon a try. This free tool from is excellent at revealing how (under which credentials) users or processes are attempting to connect to a server. While the tool's output is pretty extensive, the output can be filtered so as to narrow down what you are looking for.

On Windows 2003 servers, another excellent tool for troubleshooting Access Tokens is the command-line tool whoami. If you run whoami /all, you will see the contents of your current access token, complete with SID associations.

Between the online references and these troubleshooting tools, hopefully you will have plenty of ammunition to take on access tokens.

On another note, I would like to hear from all of you on your favorite free troubleshooting tools. I will provide information on all of the tools I receive in a future column. The reader that sends me the most quality tool resources will get a signed copy of my book Troubleshooting Microsoft Technologies.

About the Author

Chris Wolf is a Microsoft MVP for Windows --Virtual Machine and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, storage and enterprise management. Chris is the author of Virtualization: From the Desktop to the Enterprise (Apress), Troubleshooting Microsoft Technologies (Addison Wesley), and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).learningstore-20/">Troubleshooting Microsoft Technologies (Addison Wesley) and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.