Classes
class	GenericIdentity
	Represents a generic user. More...

class	GenericPrincipal
	Represents a generic principal. More...

class	IdentityNotMappedException
	Represents an exception for a principal whose identity could not be mapped to a known identity. More...

class	IdentityReference
	Represents an identity and is the base class for the T:System.Security.Principal.NTAccount and T:System.Security.Principal.SecurityIdentifier classes. This class does not provide a public constructor, and therefore cannot be inherited. More...

class	IdentityReferenceCollection
	Represents a collection of T:System.Security.Principal.IdentityReference objects and provides a means of converting sets of T:System.Security.Principal.IdentityReference-derived objects to T:System.Security.Principal.IdentityReference-derived types. More...

interface	IIdentity
	Defines the basic functionality of an identity object. More...

interface	IPrincipal
	Defines the basic functionality of a principal object. More...

class	NTAccount
	Represents a user or group account. More...

class	SecurityIdentifier
	Represents a security identifier (SID) and provides marshaling and comparison operations for SIDs. More...

class	WindowsIdentity
	Represents a Windows user. More...

class	WindowsImpersonationContext
	Represents the Windows user prior to an impersonation operation. More...

class	WindowsPrincipal
	Enables code to check the Windows group membership of a Windows user. More...

Enumerations
enum	IdentifierAuthority : long { NullAuthority, WorldAuthority, LocalAuthority, CreatorAuthority, NonUniqueAuthority, NTAuthority, SiteServerAuthority, InternetSiteAuthority, ExchangeAuthority, ResourceManagerAuthority }

enum	ImpersonationQueryResult { Impersonated, NotImpersonated, Failed }

enum	KerbLogonSubmitType { KerbInteractiveLogon = 2, KerbSmartCardLogon = 6, KerbWorkstationUnlockLogon = 7, KerbSmartCardUnlockLogon = 8, KerbProxyLogon = 9, KerbTicketLogon = 10, KerbTicketUnlockLogon = 11, KerbS4ULogon = 12 }

enum	PolicyRights { POLICY_VIEW_LOCAL_INFORMATION = 0x1, POLICY_VIEW_AUDIT_INFORMATION = 0x2, POLICY_GET_PRIVATE_INFORMATION = 0x4, POLICY_TRUST_ADMIN = 0x8, POLICY_CREATE_ACCOUNT = 0x10, POLICY_CREATE_SECRET = 0x20, POLICY_CREATE_PRIVILEGE = 0x40, POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x80, POLICY_SET_AUDIT_REQUIREMENTS = 0x100, POLICY_AUDIT_LOG_ADMIN = 0x200, POLICY_SERVER_ADMIN = 0x400, POLICY_LOOKUP_NAMES = 0x800, POLICY_NOTIFICATION = 0x1000 }

enum	PrincipalPolicy { PrincipalPolicy.UnauthenticatedPrincipal, PrincipalPolicy.NoPrincipal, PrincipalPolicy.WindowsPrincipal }
	Specifies how principal and identity objects should be created for an application domain. The default is `UnauthenticatedPrincipal`. More...

enum	SecurityLogonType { Interactive = 2, Network, Batch, Service, Proxy, Unlock }

enum	SidNameUse { User = 1, Group, Domain, Alias, WellKnownGroup, DeletedAccount, Invalid, Unknown, Computer }

enum	TokenAccessLevels { TokenAccessLevels.AssignPrimary = 0x1, TokenAccessLevels.Duplicate = 0x2, TokenAccessLevels.Impersonate = 0x4, TokenAccessLevels.Query = 0x8, TokenAccessLevels.QuerySource = 0x10, TokenAccessLevels.AdjustPrivileges = 0x20, TokenAccessLevels.AdjustGroups = 0x40, TokenAccessLevels.AdjustDefault = 0x80, TokenAccessLevels.AdjustSessionId = 0x100, TokenAccessLevels.Read = 0x20008, TokenAccessLevels.Write = 0x200E0, TokenAccessLevels.AllAccess = 0xF01FF, TokenAccessLevels.MaximumAllowed = 0x2000000 }
	Defines the privileges of the user account associated with the access token. More...

enum	TokenImpersonationLevel { TokenImpersonationLevel.None, TokenImpersonationLevel.Anonymous, TokenImpersonationLevel.Identification, TokenImpersonationLevel.Impersonation, TokenImpersonationLevel.Delegation }
	Defines security impersonation levels. Security impersonation levels govern the degree to which a server process can act on behalf of a client process. More...

enum	TokenInformationClass { TokenUser = 1, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled, TokenIntegrityLevel, TokenUIAccess, TokenMandatoryPolicy, TokenLogonSid, TokenIsAppContainer, TokenCapabilities, TokenAppContainerSid, TokenAppContainerNumber, TokenUserClaimAttributes, TokenDeviceClaimAttributes, TokenRestrictedUserClaimAttributes, TokenRestrictedDeviceClaimAttributes, TokenDeviceGroups, TokenRestrictedDeviceGroups, MaxTokenInfoClass }

enum	TokenType { TokenPrimary = 1, TokenImpersonation }

enum	WellKnownSidType { WellKnownSidType.NullSid = 0, WellKnownSidType.WorldSid = 1, WellKnownSidType.LocalSid = 2, WellKnownSidType.CreatorOwnerSid = 3, WellKnownSidType.CreatorGroupSid = 4, WellKnownSidType.CreatorOwnerServerSid = 5, WellKnownSidType.CreatorGroupServerSid = 6, WellKnownSidType.NTAuthoritySid = 7, WellKnownSidType.DialupSid = 8, WellKnownSidType.NetworkSid = 9, WellKnownSidType.BatchSid = 10, WellKnownSidType.InteractiveSid = 11, WellKnownSidType.ServiceSid = 12, WellKnownSidType.AnonymousSid = 13, WellKnownSidType.ProxySid = 14, WellKnownSidType.EnterpriseControllersSid = 0xF, WellKnownSidType.SelfSid = 0x10, WellKnownSidType.AuthenticatedUserSid = 17, WellKnownSidType.RestrictedCodeSid = 18, WellKnownSidType.TerminalServerSid = 19, WellKnownSidType.RemoteLogonIdSid = 20, WellKnownSidType.LogonIdsSid = 21, WellKnownSidType.LocalSystemSid = 22, WellKnownSidType.LocalServiceSid = 23, WellKnownSidType.NetworkServiceSid = 24, WellKnownSidType.BuiltinDomainSid = 25, WellKnownSidType.BuiltinAdministratorsSid = 26, WellKnownSidType.BuiltinUsersSid = 27, WellKnownSidType.BuiltinGuestsSid = 28, WellKnownSidType.BuiltinPowerUsersSid = 29, WellKnownSidType.BuiltinAccountOperatorsSid = 30, WellKnownSidType.BuiltinSystemOperatorsSid = 0x1F, WellKnownSidType.BuiltinPrintOperatorsSid = 0x20, WellKnownSidType.BuiltinBackupOperatorsSid = 33, WellKnownSidType.BuiltinReplicatorSid = 34, WellKnownSidType.BuiltinPreWindows2000CompatibleAccessSid = 35, WellKnownSidType.BuiltinRemoteDesktopUsersSid = 36, WellKnownSidType.BuiltinNetworkConfigurationOperatorsSid = 37, WellKnownSidType.AccountAdministratorSid = 38, WellKnownSidType.AccountGuestSid = 39, WellKnownSidType.AccountKrbtgtSid = 40, WellKnownSidType.AccountDomainAdminsSid = 41, WellKnownSidType.AccountDomainUsersSid = 42, WellKnownSidType.AccountDomainGuestsSid = 43, WellKnownSidType.AccountComputersSid = 44, WellKnownSidType.AccountControllersSid = 45, WellKnownSidType.AccountCertAdminsSid = 46, WellKnownSidType.AccountSchemaAdminsSid = 47, WellKnownSidType.AccountEnterpriseAdminsSid = 48, WellKnownSidType.AccountPolicyAdminsSid = 49, WellKnownSidType.AccountRasAndIasServersSid = 50, WellKnownSidType.NtlmAuthenticationSid = 51, WellKnownSidType.DigestAuthenticationSid = 52, WellKnownSidType.SChannelAuthenticationSid = 53, WellKnownSidType.ThisOrganizationSid = 54, WellKnownSidType.OtherOrganizationSid = 55, WellKnownSidType.BuiltinIncomingForestTrustBuildersSid = 56, WellKnownSidType.BuiltinPerformanceMonitoringUsersSid = 57, WellKnownSidType.BuiltinPerformanceLoggingUsersSid = 58, WellKnownSidType.BuiltinAuthorizationAccessSid = 59, WellKnownSidType.WinBuiltinTerminalServerLicenseServersSid = 60, WellKnownSidType.MaxDefined = 60 }
	Defines a set of commonly used security identifiers (SIDs). More...

enum	WindowsAccountType { WindowsAccountType.Normal, WindowsAccountType.Guest, WindowsAccountType.System, WindowsAccountType.Anonymous }
	Specifies the type of Windows account used. More...

enum	WindowsBuiltInRole { WindowsBuiltInRole.Administrator = 544, WindowsBuiltInRole.User, WindowsBuiltInRole.Guest, WindowsBuiltInRole.PowerUser, WindowsBuiltInRole.AccountOperator, WindowsBuiltInRole.SystemOperator, WindowsBuiltInRole.PrintOperator, WindowsBuiltInRole.BackupOperator, WindowsBuiltInRole.Replicator }
	Specifies common roles to be used with M:System.Security.Principal.WindowsPrincipal.IsInRole(System.String). More...

enum	WinSecurityContext { Thread = 1, Process, Both }

Enumeration Type Documentation

◆ PrincipalPolicy

enum System.Security.Principal.PrincipalPolicy

strong

Specifies how principal and identity objects should be created for an application domain. The default is UnauthenticatedPrincipal.

Enumerator
UnauthenticatedPrincipal	Principal and identity objects for the unauthenticated entity should be created. An unauthenticated entity has P:System.Security.Principal.GenericIdentity.Name set to the empty string ("") and P:System.Security.Principal.GenericIdentity.IsAuthenticated set to `false`.
NoPrincipal	No principal or identity objects should be created.
WindowsPrincipal	Principal and identity objects that reflect the operating system token associated with the current execution thread should be created, and the associated operating system groups should be mapped into roles.

Definition at line 8 of file PrincipalPolicy.cs.

◆ TokenAccessLevels

enum System.Security.Principal.TokenAccessLevels

strong

Defines the privileges of the user account associated with the access token.

Enumerator
AssignPrimary	The user can attach a primary token to a process.
Duplicate	The user can duplicate the token.
Impersonate	The user can impersonate a client.
Query	The user can query the token.
QuerySource	The user can query the source of the token.
AdjustPrivileges	The user can enable or disable privileges in the token.
AdjustGroups	The user can change the attributes of the groups in the token.
AdjustDefault	The user can change the default owner, primary group, or discretionary access control list (DACL) of the token.
AdjustSessionId	The user can adjust the session identifier of the token.
Read	The user has standard read rights and the F:System.Security.Principal.TokenAccessLevels.Query privilege for the token.
Write	The user has standard write rights and the F:System.Security.Principal.TokenAccessLevels.AdjustPrivileges, F:System.Security.Principal.TokenAccessLevels.AdjustGroups and F:System.Security.Principal.TokenAccessLevels.AdjustDefault privileges for the token.
AllAccess	The user has all possible access to the token.
MaximumAllowed	The maximum value that can be assigned for the T:System.Security.Principal.TokenAccessLevels enumeration.

Definition at line 9 of file TokenAccessLevels.cs.

◆ TokenImpersonationLevel

enum System.Security.Principal.TokenImpersonationLevel

strong

Defines security impersonation levels. Security impersonation levels govern the degree to which a server process can act on behalf of a client process.

Enumerator
None	An impersonation level is not assigned.
Anonymous	The server process cannot obtain identification information about the client, and it cannot impersonate the client.
Identification	The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. This is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context.
Impersonation	The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems.
Delegation	The server process can impersonate the client's security context on remote systems.

Definition at line 9 of file TokenImpersonationLevel.cs.

◆ WellKnownSidType

enum System.Security.Principal.WellKnownSidType

strong

Defines a set of commonly used security identifiers (SIDs).

Enumerator
NullSid	Indicates a null SID.
WorldSid	Indicates a SID that matches everyone.
LocalSid	Indicates a local SID.
CreatorOwnerSid	Indicates a SID that matches the owner or creator of an object.
CreatorGroupSid	Indicates a SID that matches the creator group of an object.
CreatorOwnerServerSid	Indicates a creator owner server SID.
CreatorGroupServerSid	Indicates a creator group server SID.
NTAuthoritySid	Indicates a SID for the Windows NT authority.
DialupSid	Indicates a SID for a dial-up account.
NetworkSid	Indicates a SID for a network account. This SID is added to the process of a token when it logs on across a network.
BatchSid	Indicates a SID for a batch process. This SID is added to the process of a token when it logs on as a batch job.
InteractiveSid	Indicates a SID for an interactive account. This SID is added to the process of a token when it logs on interactively.
ServiceSid	Indicates a SID for a service. This SID is added to the process of a token when it logs on as a service.
AnonymousSid	Indicates a SID for the anonymous account.
ProxySid	Indicates a proxy SID.
EnterpriseControllersSid	Indicates a SID for an enterprise controller.
SelfSid	Indicates a SID for self.
AuthenticatedUserSid	Indicates a SID for an authenticated user.
RestrictedCodeSid	Indicates a SID for restricted code.
TerminalServerSid	Indicates a SID that matches a terminal server account.
RemoteLogonIdSid	Indicates a SID that matches remote logons.
LogonIdsSid	Indicates a SID that matches logon IDs.
LocalSystemSid	Indicates a SID that matches the local system.
LocalServiceSid	Indicates a SID that matches a local service.
NetworkServiceSid	Indicates a SID that matches a network service.
BuiltinDomainSid	Indicates a SID that matches the domain account.
BuiltinAdministratorsSid	Indicates a SID that matches the administrator account.
BuiltinUsersSid	Indicates a SID that matches built-in user accounts.
BuiltinGuestsSid	Indicates a SID that matches the guest account.
BuiltinPowerUsersSid	Indicates a SID that matches the power users group.
BuiltinAccountOperatorsSid	Indicates a SID that matches the account operators account.
BuiltinSystemOperatorsSid	Indicates a SID that matches the system operators group.
BuiltinPrintOperatorsSid	Indicates a SID that matches the print operators group.
BuiltinBackupOperatorsSid	Indicates a SID that matches the backup operators group.
BuiltinReplicatorSid	Indicates a SID that matches the replicator account.
BuiltinPreWindows2000CompatibleAccessSid	Indicates a SID that matches pre-Windows 2000 compatible accounts.
BuiltinRemoteDesktopUsersSid	Indicates a SID that matches remote desktop users.
BuiltinNetworkConfigurationOperatorsSid	Indicates a SID that matches the network operators group.
AccountAdministratorSid	Indicates a SID that matches the account administrators group.
AccountGuestSid	Indicates a SID that matches the account guest group.
AccountKrbtgtSid	Indicates a SID that matches the account Kerberos target group.
AccountDomainAdminsSid	Indicates a SID that matches the account domain administrator group.
AccountDomainUsersSid	Indicates a SID that matches the account domain users group.
AccountDomainGuestsSid	Indicates a SID that matches the account domain guests group.
AccountComputersSid	Indicates a SID that matches the account computer group.
AccountControllersSid	Indicates a SID that matches the account controller group.
AccountCertAdminsSid	Indicates a SID that matches the certificate administrators group.
AccountSchemaAdminsSid	Indicates a SID that matches the schema administrators group.
AccountEnterpriseAdminsSid	Indicates a SID that matches the enterprise administrators group.
AccountPolicyAdminsSid	Indicates a SID that matches the policy administrators group.
AccountRasAndIasServersSid	Indicates a SID that matches the RAS and IAS server account.
NtlmAuthenticationSid	Indicates a SID present when the Microsoft NTLM authentication package authenticated the client.
DigestAuthenticationSid	Indicates a SID present when the Microsoft Digest authentication package authenticated the client.
SChannelAuthenticationSid	Indicates a SID present when the Secure Channel (SSL/TLS) authentication package authenticated the client.
ThisOrganizationSid	Indicates a SID present when the user authenticated from within the forest or across a trust that does not have the selective authentication option enabled. If this SID is present, then F:System.Security.Principal.WellKnownSidType.OtherOrganizationSid cannot be present.
OtherOrganizationSid	Indicates a SID present when the user authenticated across a forest with the selective authentication option enabled. If this SID is present, then F:System.Security.Principal.WellKnownSidType.ThisOrganizationSid cannot be present.
BuiltinIncomingForestTrustBuildersSid	Indicates a SID that allows a user to create incoming forest trusts. It is added to the token of users who are a member of the Incoming Forest Trust Builders built-in group in the root domain of the forest.
BuiltinPerformanceMonitoringUsersSid	Indicates a SID that matches the group of users that have remote access to schedule logging of performance counters on this computer.
BuiltinPerformanceLoggingUsersSid	Indicates a SID that matches the group of users that have remote access to monitor the computer.
BuiltinAuthorizationAccessSid	Indicates a SID that matches the Windows Authorization Access group.
WinBuiltinTerminalServerLicenseServersSid	Indicates a SID is present in a server that can issue Terminal Server licenses.
MaxDefined	Indicates the maximum defined SID in the T:System.Security.Principal.WellKnownSidType enumeration.

Definition at line 7 of file WellKnownSidType.cs.

◆ WindowsAccountType

enum System.Security.Principal.WindowsAccountType

strong

Specifies the type of Windows account used.

Enumerator
Normal	A standard user account.
Guest	A Windows guest account.
System	A Windows system account.
Anonymous	An anonymous account.

Definition at line 8 of file WindowsAccountType.cs.

◆ WindowsBuiltInRole

enum System.Security.Principal.WindowsBuiltInRole

strong

Specifies common roles to be used with M:System.Security.Principal.WindowsPrincipal.IsInRole(System.String).

Enumerator
Administrator	Administrators have complete and unrestricted access to the computer or domain.
User	Users are prevented from making accidental or intentional system-wide changes. Thus, users can run certified applications, but not most legacy applications.
Guest	Guests are more restricted than users.
PowerUser	Power users possess most administrative permissions with some restrictions. Thus, power users can run legacy applications, in addition to certified applications.
AccountOperator	Account operators manage the user accounts on a computer or domain.
SystemOperator	System operators manage a particular computer.
PrintOperator	Print operators can take control of a printer.
BackupOperator	Backup operators can override security restrictions for the sole purpose of backing up or restoring files.
Replicator	Replicators support file replication in a domain.

Definition at line 8 of file WindowsBuiltInRole.cs.

Classes

Enumerations

Enumeration Type Documentation

◆ PrincipalPolicy

◆ TokenAccessLevels

◆ TokenImpersonationLevel

◆ WellKnownSidType

◆ WindowsAccountType

◆ WindowsBuiltInRole