Impersonation Level
Impersonation is the process by which a server makes a call on behalf of a client and presents the client's identity and credentials in place of its own when making the call. This can take place only when the client explicitly grants the server permission to use its identity.
The impersonation level setting is used by the client to grant the server a particular level of authority to carry out actions on its behalf. The highest level of trust is required for the server to impersonate the client over the network. Local impersonation is impersonate-level impersonation; impersonation over the network is delegate-level impersonation, or delegation. To perform delegation, the server must be running under an identity marked as "Trusted for delegation" in Active Directory. To grant delegate-level authority, the client must not be marked as "Account is sensitive and cannot be delegated" in Active Directory. (See Application Identity for more information about identities and delegation.)
Using the Component Services administrative tool, you can change the machine-wide setting for the impersonation level. This machine-wide setting is used when a COM client on the machine doesn't specify an impersonation level programmatically. The default setting for machine-wide impersonation level is Identify.
For step-by-step instructions, see Setting the Machine-Wide Impersonation Level.
The levels, from granting least to greatest authority, are described in the following table.
| Level | Description |
| Anonymous | The client is anonymous to the server. The server can impersonate the client, but the impersonation token (a local credential) does not contain any information about the client. |
| Identify | The server can obtain the client's identity and can impersonate the client to do access-control list checks. |
| Impersonate | The server can impersonate the client while acting on its behalf, but with restrictions. The server can access resources on the same computer as the client. If the server is on the same computer as the client, it can access network resources as the client. If the server is a computer different from the client, it can access only resources that are on the same computer as the server. |
| Delegate | The server can impersonate the client while acting on its behalf, whether or not on the same computer as the client. During impersonation, the client's credentials (both those with local and those with network validity) can be passed to any number of machines. |