How to make a service (or the system process) impersonate the *elevated* variant of a user account?Can't connect to default admin share on Windows 2008How do I set permissions on network shares to allow SYSTEM account access in server cluster?Mounted Samba Share on Ubuntu Desktop does not respect group memberships on ServerCan't set up task to run from non admin userWindows Server 2008 R2 - Cryptographic Operators group issueNTFS Permissions - Issue With Implicit DenialWhat can cause a local administrator account to be unable to access a local folder, even when using special privileges that bypass NTFS security?Run batch file (exe file) as admin on domain user accountPremissions needed to launch COM as “The launching user” identity?Unable to protect shared folders
Will there be more tax deductions if I put the house completely under my name, versus doing a joint ownership?
Can my American children re-enter the USA by International flight with a passport card? Being that their passport book has expired
Is the seat-belt sign activation when a pilot goes to the lavatory standard procedure?
c++ conditional uni-directional iterator
2 parabolas through 4 points
Does this "yield your space to an ally" rule my 3.5 group uses appear anywhere in the official rules?
Is my test coverage up to snuff?
Why did the metro bus stop at each railway crossing, despite no warning indicating a train was coming?
Were any of the books mentioned in this scene from the movie Hackers real?
Slice a list based on an index and items behind it in python
Developers demotivated due to working on same project for more than 2 years
Is there any good reason to write "it is easy to see"?
Why did the UK remove the 'European Union' from its passport?
Why when I add jam to my tea it stops producing thin "membrane" on top?
Does the wearer know what items are in which patch in the Robe of Useful items?
How could it be that 80% of townspeople were farmers during the Edo period in Japan?
How to continually let my readers know what time it is in my story, in an organic way?
Holding rent money for my friend which amounts to over $10k?
Why can't I share a one use code with anyone else?
Wifi is sometimes soft blocked by unknown service
What dog breeds survive the apocalypse for generations?
Promotion comes with unexpected 24/7/365 on-call
Polynomial division: Is this trick obvious?
What was Varys trying to do at the beginning of S08E05?
How to make a service (or the system process) impersonate the *elevated* variant of a user account?
Can't connect to default admin share on Windows 2008How do I set permissions on network shares to allow SYSTEM account access in server cluster?Mounted Samba Share on Ubuntu Desktop does not respect group memberships on ServerCan't set up task to run from non admin userWindows Server 2008 R2 - Cryptographic Operators group issueNTFS Permissions - Issue With Implicit DenialWhat can cause a local administrator account to be unable to access a local folder, even when using special privileges that bypass NTFS security?Run batch file (exe file) as admin on domain user accountPremissions needed to launch COM as “The launching user” identity?Unable to protect shared folders
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
In my network, there is a Windows 2008 R2 server with network name Dax. On that server, I have (among others, of course):
- a hard disk drive, mounted as
E: - a folder
E:odo - an SMB share
\Daxodowhich provides the folderE:odoto the network - a user account
DaxBackup
The user DaxBackup is member of the DaxBackup Operators group and additionally has full permissions on the share \Daxodo as well as on the folder E:odo.
I also have some client PCs running Windows 10 x64 Enterprise (version 1809). Each client PC has
- multiple user accounts which are different from the user accounts on the server (i.e. there is no AD, the client PCs are not joined to a domain)
- a complex and deeply nested data folder with carefully crafted permissions, i.e. every user on a client has access to different parts (subfolders) of the data folder
- a user account
ClientBackupwhich has the same password as the server's accountDaxBackup, and which also is member of the respective client'sClientBackup Operatorsgroup.
On the client PCs, I have a software which is able to copy the whole data folder mentioned above, including all permissions, owner info, alternate streams, junctions and so on onto the share \Daxodo. I let this software run under user account ClientBackup so that it can read the data folder regardless of the ACLs which are in effect there.
Indeed, folders, files, junctions and so on (i.e. the actual contents of the data folder) are copied without any problem, but adjusting the metadata (e.g. ACLs, ownership) on the destination fails.
I would like to understand why, and of course what I can do about it.
My thoughts and tests so far are:
My client software is copying those files and folders onto the server's share while running as user
Backup. Since that user (on the server) is in theBackup Operatorsgroup, there should be no problem with changing the metadata while copying or even after having copied a file or folder, because that's exactly the purpose theBackup Operatorsgroup should serve.If (on the server) I make the user
Backupa member of theAdministratorsgroup, the problem persists.If (on the server) I give the user
DaxAdministratorfull permission for the share\Daxodoas well as for the respective folderE:odo, and if I run my client software under the accountClientAdministrator(that account also has the same password on the clients and the server), the problem does not persist, and the process works as intended.
Furthermore, I have tracked down what I believe is the cause of the problem on the server: Using Sysinternals' process monitor, I have seen that obviously the user Backup on the server, or more precisely, its impersonation by the network service / system process, does not have sufficient privileges. At least, this is what I would make out of the event properties shown below:
High Resolution Date & Time: 04.05.2019 09:27:37,2077520
Event Class: File System
Operation: IRP_MJ_CREATE
Result: PRIVILEGE NOT HELD
Path: E:Odod-LSEdtemptest - 2019-05-04 09-27-40bla.txt
TID: 2812
Duration: 0.0000581
Desired Access: Generic Write, Read Attributes, Write DAC, Write Owner, Access System Security
Disposition: OpenIf
Options: Complete If Oplocked
Attributes: n/a
ShareMode: Read
AllocationSize: 0
Impersonating: DAXBackup
In the past few days, I also have learned that for members of certain groups (among them Administrator and Backup Operators) there are two tokens: a normal one and an elevated one, where only the latter enables the special privileges of such groups.
So (please note that this is just naive guessing and that I am not an expert in this field): Could the network service / system process on the server impersonate the non-elevated version of the user account Backup when handling the network traffic on behalf of that user, and could this be the reason for the problem? Could I solve the problem by somehow making the network service / system process impersonate the elevated version of the user account Backup when handling the network traffic on behalf of that user? If yes, how?
P.S. If my above theory is silly, the title of this post will be misleading, so feel free to correct it ...
networking windows-server-2008-r2 permissions access-control-list administrative-privileges
asked May 4 at 10:05
BinarusBinarus
21318
add a comment |
In my network, there is a Windows 2008 R2 server with network name Dax. On that server, I have (among others, of course):
- a hard disk drive, mounted as
E: - a folder
E:odo - an SMB share
\Daxodowhich provides the folderE:odoto the network - a user account
DaxBackup
The user DaxBackup is member of the DaxBackup Operators group and additionally has full permissions on the share \Daxodo as well as on the folder E:odo.
I also have some client PCs running Windows 10 x64 Enterprise (version 1809). Each client PC has
- multiple user accounts which are different from the user accounts on the server (i.e. there is no AD, the client PCs are not joined to a domain)
- a complex and deeply nested data folder with carefully crafted permissions, i.e. every user on a client has access to different parts (subfolders) of the data folder
- a user account
ClientBackupwhich has the same password as the server's accountDaxBackup, and which also is member of the respective client'sClientBackup Operatorsgroup.
On the client PCs, I have a software which is able to copy the whole data folder mentioned above, including all permissions, owner info, alternate streams, junctions and so on onto the share \Daxodo. I let this software run under user account ClientBackup so that it can read the data folder regardless of the ACLs which are in effect there.
Indeed, folders, files, junctions and so on (i.e. the actual contents of the data folder) are copied without any problem, but adjusting the metadata (e.g. ACLs, ownership) on the destination fails.
I would like to understand why, and of course what I can do about it.
My thoughts and tests so far are:
My client software is copying those files and folders onto the server's share while running as user
Backup. Since that user (on the server) is in theBackup Operatorsgroup, there should be no problem with changing the metadata while copying or even after having copied a file or folder, because that's exactly the purpose theBackup Operatorsgroup should serve.If (on the server) I make the user
Backupa member of theAdministratorsgroup, the problem persists.If (on the server) I give the user
DaxAdministratorfull permission for the share\Daxodoas well as for the respective folderE:odo, and if I run my client software under the accountClientAdministrator(that account also has the same password on the clients and the server), the problem does not persist, and the process works as intended.
Furthermore, I have tracked down what I believe is the cause of the problem on the server: Using Sysinternals' process monitor, I have seen that obviously the user Backup on the server, or more precisely, its impersonation by the network service / system process, does not have sufficient privileges. At least, this is what I would make out of the event properties shown below:
High Resolution Date & Time: 04.05.2019 09:27:37,2077520
Event Class: File System
Operation: IRP_MJ_CREATE
Result: PRIVILEGE NOT HELD
Path: E:Odod-LSEdtemptest - 2019-05-04 09-27-40bla.txt
TID: 2812
Duration: 0.0000581
Desired Access: Generic Write, Read Attributes, Write DAC, Write Owner, Access System Security
Disposition: OpenIf
Options: Complete If Oplocked
Attributes: n/a
ShareMode: Read
AllocationSize: 0
Impersonating: DAXBackup
In the past few days, I also have learned that for members of certain groups (among them Administrator and Backup Operators) there are two tokens: a normal one and an elevated one, where only the latter enables the special privileges of such groups.
So (please note that this is just naive guessing and that I am not an expert in this field): Could the network service / system process on the server impersonate the non-elevated version of the user account Backup when handling the network traffic on behalf of that user, and could this be the reason for the problem? Could I solve the problem by somehow making the network service / system process impersonate the elevated version of the user account Backup when handling the network traffic on behalf of that user? If yes, how?
P.S. If my above theory is silly, the title of this post will be misleading, so feel free to correct it ...
networking windows-server-2008-r2 permissions access-control-list administrative-privileges
asked May 4 at 10:05
BinarusBinarus
21318
add a comment |
In my network, there is a Windows 2008 R2 server with network name Dax. On that server, I have (among others, of course):
- a hard disk drive, mounted as
E: - a folder
E:odo - an SMB share
\Daxodowhich provides the folderE:odoto the network - a user account
DaxBackup
The user DaxBackup is member of the DaxBackup Operators group and additionally has full permissions on the share \Daxodo as well as on the folder E:odo.
I also have some client PCs running Windows 10 x64 Enterprise (version 1809). Each client PC has
- multiple user accounts which are different from the user accounts on the server (i.e. there is no AD, the client PCs are not joined to a domain)
- a complex and deeply nested data folder with carefully crafted permissions, i.e. every user on a client has access to different parts (subfolders) of the data folder
- a user account
ClientBackupwhich has the same password as the server's accountDaxBackup, and which also is member of the respective client'sClientBackup Operatorsgroup.
On the client PCs, I have a software which is able to copy the whole data folder mentioned above, including all permissions, owner info, alternate streams, junctions and so on onto the share \Daxodo. I let this software run under user account ClientBackup so that it can read the data folder regardless of the ACLs which are in effect there.
Indeed, folders, files, junctions and so on (i.e. the actual contents of the data folder) are copied without any problem, but adjusting the metadata (e.g. ACLs, ownership) on the destination fails.
I would like to understand why, and of course what I can do about it.
My thoughts and tests so far are:
My client software is copying those files and folders onto the server's share while running as user
Backup. Since that user (on the server) is in theBackup Operatorsgroup, there should be no problem with changing the metadata while copying or even after having copied a file or folder, because that's exactly the purpose theBackup Operatorsgroup should serve.If (on the server) I make the user
Backupa member of theAdministratorsgroup, the problem persists.If (on the server) I give the user
DaxAdministratorfull permission for the share\Daxodoas well as for the respective folderE:odo, and if I run my client software under the accountClientAdministrator(that account also has the same password on the clients and the server), the problem does not persist, and the process works as intended.
Furthermore, I have tracked down what I believe is the cause of the problem on the server: Using Sysinternals' process monitor, I have seen that obviously the user Backup on the server, or more precisely, its impersonation by the network service / system process, does not have sufficient privileges. At least, this is what I would make out of the event properties shown below:
High Resolution Date & Time: 04.05.2019 09:27:37,2077520
Event Class: File System
Operation: IRP_MJ_CREATE
Result: PRIVILEGE NOT HELD
Path: E:Odod-LSEdtemptest - 2019-05-04 09-27-40bla.txt
TID: 2812
Duration: 0.0000581
Desired Access: Generic Write, Read Attributes, Write DAC, Write Owner, Access System Security
Disposition: OpenIf
Options: Complete If Oplocked
Attributes: n/a
ShareMode: Read
AllocationSize: 0
Impersonating: DAXBackup
In the past few days, I also have learned that for members of certain groups (among them Administrator and Backup Operators) there are two tokens: a normal one and an elevated one, where only the latter enables the special privileges of such groups.
So (please note that this is just naive guessing and that I am not an expert in this field): Could the network service / system process on the server impersonate the non-elevated version of the user account Backup when handling the network traffic on behalf of that user, and could this be the reason for the problem? Could I solve the problem by somehow making the network service / system process impersonate the elevated version of the user account Backup when handling the network traffic on behalf of that user? If yes, how?
P.S. If my above theory is silly, the title of this post will be misleading, so feel free to correct it ...
networking windows-server-2008-r2 permissions access-control-list administrative-privileges
asked May 4 at 10:05
BinarusBinarus
21318
In my network, there is a Windows 2008 R2 server with network name Dax. On that server, I have (among others, of course):
- a hard disk drive, mounted as
E: - a folder
E:odo - an SMB share
\Daxodowhich provides the folderE:odoto the network - a user account
DaxBackup
The user DaxBackup is member of the DaxBackup Operators group and additionally has full permissions on the share \Daxodo as well as on the folder E:odo.
I also have some client PCs running Windows 10 x64 Enterprise (version 1809). Each client PC has
- multiple user accounts which are different from the user accounts on the server (i.e. there is no AD, the client PCs are not joined to a domain)
- a complex and deeply nested data folder with carefully crafted permissions, i.e. every user on a client has access to different parts (subfolders) of the data folder
- a user account
ClientBackupwhich has the same password as the server's accountDaxBackup, and which also is member of the respective client'sClientBackup Operatorsgroup.
On the client PCs, I have a software which is able to copy the whole data folder mentioned above, including all permissions, owner info, alternate streams, junctions and so on onto the share \Daxodo. I let this software run under user account ClientBackup so that it can read the data folder regardless of the ACLs which are in effect there.
Indeed, folders, files, junctions and so on (i.e. the actual contents of the data folder) are copied without any problem, but adjusting the metadata (e.g. ACLs, ownership) on the destination fails.
I would like to understand why, and of course what I can do about it.
My thoughts and tests so far are:
My client software is copying those files and folders onto the server's share while running as user
Backup. Since that user (on the server) is in theBackup Operatorsgroup, there should be no problem with changing the metadata while copying or even after having copied a file or folder, because that's exactly the purpose theBackup Operatorsgroup should serve.If (on the server) I make the user
Backupa member of theAdministratorsgroup, the problem persists.If (on the server) I give the user
DaxAdministratorfull permission for the share\Daxodoas well as for the respective folderE:odo, and if I run my client software under the accountClientAdministrator(that account also has the same password on the clients and the server), the problem does not persist, and the process works as intended.
Furthermore, I have tracked down what I believe is the cause of the problem on the server: Using Sysinternals' process monitor, I have seen that obviously the user Backup on the server, or more precisely, its impersonation by the network service / system process, does not have sufficient privileges. At least, this is what I would make out of the event properties shown below:
High Resolution Date & Time: 04.05.2019 09:27:37,2077520
Event Class: File System
Operation: IRP_MJ_CREATE
Result: PRIVILEGE NOT HELD
Path: E:Odod-LSEdtemptest - 2019-05-04 09-27-40bla.txt
TID: 2812
Duration: 0.0000581
Desired Access: Generic Write, Read Attributes, Write DAC, Write Owner, Access System Security
Disposition: OpenIf
Options: Complete If Oplocked
Attributes: n/a
ShareMode: Read
AllocationSize: 0
Impersonating: DAXBackup
In the past few days, I also have learned that for members of certain groups (among them Administrator and Backup Operators) there are two tokens: a normal one and an elevated one, where only the latter enables the special privileges of such groups.
So (please note that this is just naive guessing and that I am not an expert in this field): Could the network service / system process on the server impersonate the non-elevated version of the user account Backup when handling the network traffic on behalf of that user, and could this be the reason for the problem? Could I solve the problem by somehow making the network service / system process impersonate the elevated version of the user account Backup when handling the network traffic on behalf of that user? If yes, how?
P.S. If my above theory is silly, the title of this post will be misleading, so feel free to correct it ...
networking windows-server-2008-r2 permissions access-control-list administrative-privileges
networking windows-server-2008-r2 permissions access-control-list administrative-privileges
asked May 4 at 10:05
BinarusBinarus
21318
asked May 4 at 10:05
BinarusBinarus
21318
edited May 4 at 10:11
Binarus
asked May 4 at 10:05
BinarusBinarus
21318
asked May 4 at 10:05
BinarusBinarus
21318
asked May 4 at 10:05
BinarusBinarus
21318
21318
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Your theory is correct. This behaviour can be changed via a registry setting.
In
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
find or create the DWORD value LocalAccountTokenFilterPolicy and set it to 1. You may then need to reboot.
This will allow remote connections to have unrestricted administrator access.
answered May 5 at 21:10
Harry JohnstonHarry Johnston
4,05512040
Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.
– Binarus
May 6 at 11:42
And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).
– Binarus
May 6 at 11:46
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965855%2fhow-to-make-a-service-or-the-system-process-impersonate-the-elevated-variant%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Your theory is correct. This behaviour can be changed via a registry setting.
In
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
find or create the DWORD value LocalAccountTokenFilterPolicy and set it to 1. You may then need to reboot.
This will allow remote connections to have unrestricted administrator access.
answered May 5 at 21:10
Harry JohnstonHarry Johnston
4,05512040
Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.
– Binarus
May 6 at 11:42
And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).
– Binarus
May 6 at 11:46
add a comment |
Your theory is correct. This behaviour can be changed via a registry setting.
In
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
find or create the DWORD value LocalAccountTokenFilterPolicy and set it to 1. You may then need to reboot.
This will allow remote connections to have unrestricted administrator access.
answered May 5 at 21:10
Harry JohnstonHarry Johnston
4,05512040
Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.
– Binarus
May 6 at 11:42
And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).
– Binarus
May 6 at 11:46
add a comment |
Your theory is correct. This behaviour can be changed via a registry setting.
In
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
find or create the DWORD value LocalAccountTokenFilterPolicy and set it to 1. You may then need to reboot.
This will allow remote connections to have unrestricted administrator access.
answered May 5 at 21:10
Harry JohnstonHarry Johnston
4,05512040
Your theory is correct. This behaviour can be changed via a registry setting.
In
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
find or create the DWORD value LocalAccountTokenFilterPolicy and set it to 1. You may then need to reboot.
This will allow remote connections to have unrestricted administrator access.
answered May 5 at 21:10
Harry JohnstonHarry Johnston
4,05512040
answered May 5 at 21:10
Harry JohnstonHarry Johnston
4,05512040
answered May 5 at 21:10
Harry JohnstonHarry Johnston
4,05512040
answered May 5 at 21:10
Harry JohnstonHarry Johnston
4,05512040
4,05512040
Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.
– Binarus
May 6 at 11:42
And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).
– Binarus
May 6 at 11:46
add a comment |
Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.
– Binarus
May 6 at 11:42
And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).
– Binarus
May 6 at 11:46
Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.
– Binarus
May 6 at 11:42
Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.
– Binarus
May 6 at 11:42
And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).
– Binarus
May 6 at 11:46
And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).
– Binarus
May 6 at 11:46
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965855%2fhow-to-make-a-service-or-the-system-process-impersonate-the-elevated-variant%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
