What’s the difference between duplicating the handle to a token and duplicating a token?

If you have a token, there are two ways to get another handle to it. One is to use Duplicate­Handle; the other is to use Duplicate­Token (or Duplicate­Token­Ex). What’s the difference?

Duplicating the handle with Duplicate­Handle results in a new handle that refers to the same token as the original handle. On the other hand, duplicating the token with Duplicate­Token produces a brand new token that is a clone of the original.

The difference is significant if you try to modify the token.

If you duplicate the handle, then there is still only one underlying token, and changes to the token from one handle will be visible to the other handle since it’s all the same token at the end of the day; duplicating the handle just gives you two ways to refer to the same thing.

If you duplicate the token, then you have two tokens, and changes to one token will not affect the other.

It’s the difference between buying another set of keys to a car on the one hand, and buying a brand new identical car (which comes with its own set of keys) on the other. If you buy another set of keys to the car, then there’s still only one car, and if you do something to the car, that change is visible regardless of which set of keys you use. On the other hand, if you buy a new identical car, then changes to one car do not affect the other.