{ "id": "481dd375-8d33-46e8-9c30-f7108da3acc0", "created_at": "2026-04-06T00:19:32.218631Z", "updated_at": "2026-04-10T03:23:52.250959Z", "deleted_at": null, "sha1_hash": "598eb18bc087cb4710738645e6289cbc6945245c", "title": "Create a token object - Windows 10", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 39392, "plain_text": "Create a token object - Windows 10\r\nBy vinaypamnani-msft\r\nArchived: 2026-04-05 15:04:33 UTC\r\nApplies to\r\nWindows 11\r\nWindows 10\r\nDescribes the best practices, location, values, policy management, and security considerations for the Create a\r\ntoken object security policy setting.\r\nReference\r\nThis policy setting determines which accounts a process can use to create a token, and which accounts it can then\r\nuse to gain access to local resources when the process uses NtCreateToken() or other token-creation APIs.\r\nWhen a user signs in to the local device or connects to a remote device through a network, Windows builds the\r\nuser’s access token. Then the system examines the token to determine the level of the user's privileges. When you\r\nrevoke a privilege, the change is immediately recorded, but the change isn't reflected in the user's access token\r\nuntil the next time the user logs on or connects.\r\nConstant: SeCreateTokenPrivilege\r\nPossible values\r\nUser-defined list of accounts\r\nNot Defined\r\nBest practices\r\nThis user right is used internally by the operating system. Unless it's necessary, don't assign this user right\r\nto a user, group, or process other than Local System.\r\nLocation\r\nComputer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment\r\nDefault values\r\nThis user right is used internally by the operating system. By default, it isn't assigned to any user groups.\r\nhttps://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object\r\nPage 1 of 3\n\nThe following table lists the actual and effective default policy values. Default values are also listed on the\r\npolicy’s property page.\r\nServer type or GPO Default value\r\nDefault Domain Policy Not Defined\r\nDefault Domain Controller Policy Not Defined\r\nStand-Alone Server Default Settings Not Defined\r\nDomain Controller Effective Default Settings Local System\r\nMember Server Effective Default Settings Local System\r\nClient Computer Effective Default Settings Local System\r\nPolicy management\r\nA restart of the device isn't required for this policy setting to be effective.\r\nAny change to the user rights assignment for an account becomes effective the next time the owner of the account\r\nlogs on.\r\nGroup Policy\r\nSettings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on\r\nthe local computer at the next Group Policy update:\r\n1. Local policy settings\r\n2. Site policy settings\r\n3. Domain policy settings\r\n4. OU policy settings\r\nWhen a local setting is greyed out, it indicates that a GPO currently controls that setting.\r\nSecurity considerations\r\nThis section describes how an attacker might exploit a feature or its configuration, how to implement the\r\ncountermeasure, and the possible negative consequences of countermeasure implementation.\r\nVulnerability\r\nCaution:  A user account that is given this user right has complete control over the system, and it can\r\nlead to the system being compromised. We highly recommend that you do not assign this right to any\r\nuser accounts.\r\nhttps://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object\r\nPage 2 of 3\n\nWindows examines a user's access token to determine the level of the user's privileges. Access tokens are built\r\nwhen users sign in to the local device or connect to a remote device over a network. When you revoke a privilege,\r\nthe change is immediately recorded, but the change isn't reflected in the user's access token until the next time the\r\nuser logs on or connects. Users with the ability to create or modify tokens can change the level of access for any\r\naccount on a computer if they're currently logged on. They could escalate their privileges or create a DoS\r\ncondition.\r\nCountermeasure\r\nDon't assign the Create a token object user right to any users. Processes that require this user right should use the\r\nLocal System account, which already includes it, instead of a separate user account that has this user right\r\nassigned.\r\nPotential impact\r\nNone. Not Defined is the default configuration.\r\nUser Rights Assignment\r\nSource: https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object\r\nhttps://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object" ], "report_names": [ "create-a-token-object" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434772, "ts_updated_at": 1775791432, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/598eb18bc087cb4710738645e6289cbc6945245c.pdf", "text": "https://archive.orkl.eu/598eb18bc087cb4710738645e6289cbc6945245c.txt", "img": "https://archive.orkl.eu/598eb18bc087cb4710738645e6289cbc6945245c.jpg" } }