Question: does AD send a user's access token across the network?
Research: The following two passages contradict themselves--given that TGTs are transmitted across the network by design.
From the 5th Edition of Active Directory by Oreilly:
Most importantly, the user's access token is stored in the TGT. The access token includes important information such as what groups a user is a member of, the user's NT rights, and Dynamic Access Control (DAC) claims.
From Windows Server 2008 Active Directory Resource Kit by Microsoft Press:
The access token is used by the security subsystem whenever a user tries to access a resource. When the user tries to access a local resource, the token is presented by the client workstation to any thread or application that requests security information before allowing access to a resource. The access token is never transmitted across the network to another computer; rather, a local access token is created on each server where the user tries to access a resource. For example, when a user tries to access a mailbox on a server running Exchange Server 2007, an access token is created on the server.
Those descriptions are a bit vague. There are two tokens. A process Access Token, and a Kerberos token. The process token is specific to the local computer.
"In Windows implementation, the application server derives the authorization data (PAC) and requests Windows OS to generate an access token."
https://blogs.msdn.microsoft.com/openspecification/2009/04/24/understanding-microsoft-kerberos-pac-validation/
The Kerberos TGT contains authorization data, a signature, and in Microsoft Active Directory implementation of Kerberos, an extension known as a Privilege Attribute Certificate (PAC). The PAC contains User Identity information, group SID's, User Rights/Privileges, User Profile information, domain controller authorization data, client computer information, and protected credentials/password.
The process Access Token that is created combines/merges any local security policy/rights/privileges/groups with that specified in the TGT PAC.
If the Access Token that is created is a Delegation-level Impersonation token, it can be used to access resources on remote computers, because a delegation token contains the protected credentials. Although a new process Access Token is created on the remote computers.
How Access Tokens Work
https://technet.microsoft.com/en-us/library/cc783557(v=ws.10).aspx
[MS-PAC]: Privilege Attribute Certificate Data Structure
https://msdn.microsoft.com/en-us/library/cc237917.aspx
yellow,
the information from the 2008 AD Resource kit is correct, Access tokens are created by local systems and then attached to threads that user is running. there is some very good information here:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374909(v=vs.85).aspx
and here
https://technet.microsoft.com/en-us/library/cc783557(v=ws.10).aspx
although the 2nd link is a little bit old.