 |
| whoami |
The information contained in the access token is used to make access decisions whenever the user attempts to requests access to a secured resource on that system.
This access token contains a list of all the security groups that the user belongs to, including all the domain security groups to which the user belongs. In addition, the access token contains a list of all the user rights and privileges that are assigned to the user during that logon session.
In regards to the list of all domain security groups contained a user's token, they include all universal, domain local and global groups that the user belongs to, as well as domain specific builtin domain security groups. Finally the access token also contains a list of any machine local security groups to which he/she belongs.
Sometimes IT personnel have a need to be able to view / see / list /enumerate the list of security groups in a specific user's access token. For instance, sometimes is may be necessary to peek into a user's token to troubleshoot access control / access denied errors. Other times, IT personnel may need to view this information to see what security groups are showing up in a administrative user's token for maintaining Active Directory security.
It is fairly easy to view the contents of one's own access token. This can be done by using the free Microsoft utility whoami. However, it is not very easy to view the contents of another user's access token.
In order to help IT personnel be able to fulfill the need to see / list /enumerate the list of security groups of another user's access token, we added a Windows Token Viewer capability to our Gold Finger tool. With this capability, IT personnel can easily enumerate the list of all security groups that show up in any user's access token.
 |
Gold Finger - Windows Security Access Token Viewer |
To view a specific user's access token, you simply specify the user, select a domain, and a target, then click the Gold Finger button. Within seconds, Gold Finger determines and enumerates the list of all domain security groups that show up in the user's token. You can then easily export this list.
(Incidentally, the Gold Finger tool was initially designed to help organizations protect themselves from the most critical of all Active Directory Security Risks, which could potentially be exploited by an advanced persistent threat seeking to inflict damage to a specific organization or organizations.)
With Gold Finger's Token Viewer capability, IT personnel can now easily view the contents of any domain user/computer account's access token, in any Active Directory environment. For more information on this capability, and to download a free trial, please visit our website.
