How to make a service (or the system process) impersonate the *elevated* variant of a user account?Can't connect to default admin share on Windows 2008How do I set permissions on network shares to allow SYSTEM account access in server cluster?Mounted Samba Share on Ubuntu Desktop does not respect group memberships on ServerCan't set up task to run from non admin userWindows Server 2008 R2 - Cryptographic Operators group issueNTFS Permissions - Issue With Implicit DenialWhat can cause a local administrator account to be unable to access a local folder, even when using special privileges that bypass NTFS security?Run batch file (exe file) as admin on domain user accountPremissions needed to launch COM as “The launching user” identity?Unable to protect shared folders

Will there be more tax deductions if I put the house completely under my name, versus doing a joint ownership?

Can my American children re-enter the USA by International flight with a passport card? Being that their passport book has expired

Is the seat-belt sign activation when a pilot goes to the lavatory standard procedure?

c++ conditional uni-directional iterator

2 parabolas through 4 points

Does this "yield your space to an ally" rule my 3.5 group uses appear anywhere in the official rules?

Is my test coverage up to snuff?

Why did the metro bus stop at each railway crossing, despite no warning indicating a train was coming?

Were any of the books mentioned in this scene from the movie Hackers real?

Slice a list based on an index and items behind it in python

Developers demotivated due to working on same project for more than 2 years

Is there any good reason to write "it is easy to see"?

Why did the UK remove the 'European Union' from its passport?

Why when I add jam to my tea it stops producing thin "membrane" on top?

Does the wearer know what items are in which patch in the Robe of Useful items?

How could it be that 80% of townspeople were farmers during the Edo period in Japan?

How to continually let my readers know what time it is in my story, in an organic way?

Holding rent money for my friend which amounts to over $10k?

Why can't I share a one use code with anyone else?

Wifi is sometimes soft blocked by unknown service

What dog breeds survive the apocalypse for generations?

Promotion comes with unexpected 24/7/365 on-call

Polynomial division: Is this trick obvious?

What was Varys trying to do at the beginning of S08E05?



How to make a service (or the system process) impersonate the *elevated* variant of a user account?


Can't connect to default admin share on Windows 2008How do I set permissions on network shares to allow SYSTEM account access in server cluster?Mounted Samba Share on Ubuntu Desktop does not respect group memberships on ServerCan't set up task to run from non admin userWindows Server 2008 R2 - Cryptographic Operators group issueNTFS Permissions - Issue With Implicit DenialWhat can cause a local administrator account to be unable to access a local folder, even when using special privileges that bypass NTFS security?Run batch file (exe file) as admin on domain user accountPremissions needed to launch COM as “The launching user” identity?Unable to protect shared folders






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








2















In my network, there is a Windows 2008 R2 server with network name Dax. On that server, I have (among others, of course):



  • a hard disk drive, mounted as E:

  • a folder E:odo

  • an SMB share \Daxodo which provides the folder E:odo to the network

  • a user account DaxBackup

The user DaxBackup is member of the DaxBackup Operators group and additionally has full permissions on the share \Daxodo as well as on the folder E:odo.



I also have some client PCs running Windows 10 x64 Enterprise (version 1809). Each client PC has



  • multiple user accounts which are different from the user accounts on the server (i.e. there is no AD, the client PCs are not joined to a domain)

  • a complex and deeply nested data folder with carefully crafted permissions, i.e. every user on a client has access to different parts (subfolders) of the data folder

  • a user account ClientBackup which has the same password as the server's account DaxBackup, and which also is member of the respective client's ClientBackup Operators group.

On the client PCs, I have a software which is able to copy the whole data folder mentioned above, including all permissions, owner info, alternate streams, junctions and so on onto the share \Daxodo. I let this software run under user account ClientBackup so that it can read the data folder regardless of the ACLs which are in effect there.



Indeed, folders, files, junctions and so on (i.e. the actual contents of the data folder) are copied without any problem, but adjusting the metadata (e.g. ACLs, ownership) on the destination fails.



I would like to understand why, and of course what I can do about it.



My thoughts and tests so far are:



  • My client software is copying those files and folders onto the server's share while running as user Backup. Since that user (on the server) is in the Backup Operators group, there should be no problem with changing the metadata while copying or even after having copied a file or folder, because that's exactly the purpose the Backup Operators group should serve.


  • If (on the server) I make the user Backup a member of the Administrators group, the problem persists.


  • If (on the server) I give the user DaxAdministrator full permission for the share \Daxodo as well as for the respective folder E:odo, and if I run my client software under the account ClientAdministrator (that account also has the same password on the clients and the server), the problem does not persist, and the process works as intended.


Furthermore, I have tracked down what I believe is the cause of the problem on the server: Using Sysinternals' process monitor, I have seen that obviously the user Backup on the server, or more precisely, its impersonation by the network service / system process, does not have sufficient privileges. At least, this is what I would make out of the event properties shown below:



High Resolution Date & Time: 04.05.2019 09:27:37,2077520
Event Class: File System
Operation: IRP_MJ_CREATE
Result: PRIVILEGE NOT HELD
Path: E:Odod-LSEdtemptest - 2019-05-04 09-27-40bla.txt
TID: 2812
Duration: 0.0000581
Desired Access: Generic Write, Read Attributes, Write DAC, Write Owner, Access System Security
Disposition: OpenIf
Options: Complete If Oplocked
Attributes: n/a
ShareMode: Read
AllocationSize: 0
Impersonating: DAXBackup


In the past few days, I also have learned that for members of certain groups (among them Administrator and Backup Operators) there are two tokens: a normal one and an elevated one, where only the latter enables the special privileges of such groups.



So (please note that this is just naive guessing and that I am not an expert in this field): Could the network service / system process on the server impersonate the non-elevated version of the user account Backup when handling the network traffic on behalf of that user, and could this be the reason for the problem? Could I solve the problem by somehow making the network service / system process impersonate the elevated version of the user account Backup when handling the network traffic on behalf of that user? If yes, how?



P.S. If my above theory is silly, the title of this post will be misleading, so feel free to correct it ...






networking windows-server-2008-r2 permissions access-control-list administrative-privileges







share|improve this question






























    2















    In my network, there is a Windows 2008 R2 server with network name Dax. On that server, I have (among others, of course):



    • a hard disk drive, mounted as E:

    • a folder E:odo

    • an SMB share \Daxodo which provides the folder E:odo to the network

    • a user account DaxBackup

    The user DaxBackup is member of the DaxBackup Operators group and additionally has full permissions on the share \Daxodo as well as on the folder E:odo.



    I also have some client PCs running Windows 10 x64 Enterprise (version 1809). Each client PC has



    • multiple user accounts which are different from the user accounts on the server (i.e. there is no AD, the client PCs are not joined to a domain)

    • a complex and deeply nested data folder with carefully crafted permissions, i.e. every user on a client has access to different parts (subfolders) of the data folder

    • a user account ClientBackup which has the same password as the server's account DaxBackup, and which also is member of the respective client's ClientBackup Operators group.

    On the client PCs, I have a software which is able to copy the whole data folder mentioned above, including all permissions, owner info, alternate streams, junctions and so on onto the share \Daxodo. I let this software run under user account ClientBackup so that it can read the data folder regardless of the ACLs which are in effect there.



    Indeed, folders, files, junctions and so on (i.e. the actual contents of the data folder) are copied without any problem, but adjusting the metadata (e.g. ACLs, ownership) on the destination fails.



    I would like to understand why, and of course what I can do about it.



    My thoughts and tests so far are:



    • My client software is copying those files and folders onto the server's share while running as user Backup. Since that user (on the server) is in the Backup Operators group, there should be no problem with changing the metadata while copying or even after having copied a file or folder, because that's exactly the purpose the Backup Operators group should serve.


    • If (on the server) I make the user Backup a member of the Administrators group, the problem persists.


    • If (on the server) I give the user DaxAdministrator full permission for the share \Daxodo as well as for the respective folder E:odo, and if I run my client software under the account ClientAdministrator (that account also has the same password on the clients and the server), the problem does not persist, and the process works as intended.


    Furthermore, I have tracked down what I believe is the cause of the problem on the server: Using Sysinternals' process monitor, I have seen that obviously the user Backup on the server, or more precisely, its impersonation by the network service / system process, does not have sufficient privileges. At least, this is what I would make out of the event properties shown below:



    High Resolution Date & Time: 04.05.2019 09:27:37,2077520
    Event Class: File System
    Operation: IRP_MJ_CREATE
    Result: PRIVILEGE NOT HELD
    Path: E:Odod-LSEdtemptest - 2019-05-04 09-27-40bla.txt
    TID: 2812
    Duration: 0.0000581
    Desired Access: Generic Write, Read Attributes, Write DAC, Write Owner, Access System Security
    Disposition: OpenIf
    Options: Complete If Oplocked
    Attributes: n/a
    ShareMode: Read
    AllocationSize: 0
    Impersonating: DAXBackup


    In the past few days, I also have learned that for members of certain groups (among them Administrator and Backup Operators) there are two tokens: a normal one and an elevated one, where only the latter enables the special privileges of such groups.



    So (please note that this is just naive guessing and that I am not an expert in this field): Could the network service / system process on the server impersonate the non-elevated version of the user account Backup when handling the network traffic on behalf of that user, and could this be the reason for the problem? Could I solve the problem by somehow making the network service / system process impersonate the elevated version of the user account Backup when handling the network traffic on behalf of that user? If yes, how?



    P.S. If my above theory is silly, the title of this post will be misleading, so feel free to correct it ...






    networking windows-server-2008-r2 permissions access-control-list administrative-privileges







    share|improve this question


























      2












      2








      2


      1






      In my network, there is a Windows 2008 R2 server with network name Dax. On that server, I have (among others, of course):



      • a hard disk drive, mounted as E:

      • a folder E:odo

      • an SMB share \Daxodo which provides the folder E:odo to the network

      • a user account DaxBackup

      The user DaxBackup is member of the DaxBackup Operators group and additionally has full permissions on the share \Daxodo as well as on the folder E:odo.



      I also have some client PCs running Windows 10 x64 Enterprise (version 1809). Each client PC has



      • multiple user accounts which are different from the user accounts on the server (i.e. there is no AD, the client PCs are not joined to a domain)

      • a complex and deeply nested data folder with carefully crafted permissions, i.e. every user on a client has access to different parts (subfolders) of the data folder

      • a user account ClientBackup which has the same password as the server's account DaxBackup, and which also is member of the respective client's ClientBackup Operators group.

      On the client PCs, I have a software which is able to copy the whole data folder mentioned above, including all permissions, owner info, alternate streams, junctions and so on onto the share \Daxodo. I let this software run under user account ClientBackup so that it can read the data folder regardless of the ACLs which are in effect there.



      Indeed, folders, files, junctions and so on (i.e. the actual contents of the data folder) are copied without any problem, but adjusting the metadata (e.g. ACLs, ownership) on the destination fails.



      I would like to understand why, and of course what I can do about it.



      My thoughts and tests so far are:



      • My client software is copying those files and folders onto the server's share while running as user Backup. Since that user (on the server) is in the Backup Operators group, there should be no problem with changing the metadata while copying or even after having copied a file or folder, because that's exactly the purpose the Backup Operators group should serve.


      • If (on the server) I make the user Backup a member of the Administrators group, the problem persists.


      • If (on the server) I give the user DaxAdministrator full permission for the share \Daxodo as well as for the respective folder E:odo, and if I run my client software under the account ClientAdministrator (that account also has the same password on the clients and the server), the problem does not persist, and the process works as intended.


      Furthermore, I have tracked down what I believe is the cause of the problem on the server: Using Sysinternals' process monitor, I have seen that obviously the user Backup on the server, or more precisely, its impersonation by the network service / system process, does not have sufficient privileges. At least, this is what I would make out of the event properties shown below:



      High Resolution Date & Time: 04.05.2019 09:27:37,2077520
      Event Class: File System
      Operation: IRP_MJ_CREATE
      Result: PRIVILEGE NOT HELD
      Path: E:Odod-LSEdtemptest - 2019-05-04 09-27-40bla.txt
      TID: 2812
      Duration: 0.0000581
      Desired Access: Generic Write, Read Attributes, Write DAC, Write Owner, Access System Security
      Disposition: OpenIf
      Options: Complete If Oplocked
      Attributes: n/a
      ShareMode: Read
      AllocationSize: 0
      Impersonating: DAXBackup


      In the past few days, I also have learned that for members of certain groups (among them Administrator and Backup Operators) there are two tokens: a normal one and an elevated one, where only the latter enables the special privileges of such groups.



      So (please note that this is just naive guessing and that I am not an expert in this field): Could the network service / system process on the server impersonate the non-elevated version of the user account Backup when handling the network traffic on behalf of that user, and could this be the reason for the problem? Could I solve the problem by somehow making the network service / system process impersonate the elevated version of the user account Backup when handling the network traffic on behalf of that user? If yes, how?



      P.S. If my above theory is silly, the title of this post will be misleading, so feel free to correct it ...






      networking windows-server-2008-r2 permissions access-control-list administrative-privileges







      share|improve this question
















      In my network, there is a Windows 2008 R2 server with network name Dax. On that server, I have (among others, of course):



      • a hard disk drive, mounted as E:

      • a folder E:odo

      • an SMB share \Daxodo which provides the folder E:odo to the network

      • a user account DaxBackup

      The user DaxBackup is member of the DaxBackup Operators group and additionally has full permissions on the share \Daxodo as well as on the folder E:odo.



      I also have some client PCs running Windows 10 x64 Enterprise (version 1809). Each client PC has



      • multiple user accounts which are different from the user accounts on the server (i.e. there is no AD, the client PCs are not joined to a domain)

      • a complex and deeply nested data folder with carefully crafted permissions, i.e. every user on a client has access to different parts (subfolders) of the data folder

      • a user account ClientBackup which has the same password as the server's account DaxBackup, and which also is member of the respective client's ClientBackup Operators group.

      On the client PCs, I have a software which is able to copy the whole data folder mentioned above, including all permissions, owner info, alternate streams, junctions and so on onto the share \Daxodo. I let this software run under user account ClientBackup so that it can read the data folder regardless of the ACLs which are in effect there.



      Indeed, folders, files, junctions and so on (i.e. the actual contents of the data folder) are copied without any problem, but adjusting the metadata (e.g. ACLs, ownership) on the destination fails.



      I would like to understand why, and of course what I can do about it.



      My thoughts and tests so far are:



      • My client software is copying those files and folders onto the server's share while running as user Backup. Since that user (on the server) is in the Backup Operators group, there should be no problem with changing the metadata while copying or even after having copied a file or folder, because that's exactly the purpose the Backup Operators group should serve.


      • If (on the server) I make the user Backup a member of the Administrators group, the problem persists.


      • If (on the server) I give the user DaxAdministrator full permission for the share \Daxodo as well as for the respective folder E:odo, and if I run my client software under the account ClientAdministrator (that account also has the same password on the clients and the server), the problem does not persist, and the process works as intended.


      Furthermore, I have tracked down what I believe is the cause of the problem on the server: Using Sysinternals' process monitor, I have seen that obviously the user Backup on the server, or more precisely, its impersonation by the network service / system process, does not have sufficient privileges. At least, this is what I would make out of the event properties shown below:



      High Resolution Date & Time: 04.05.2019 09:27:37,2077520
      Event Class: File System
      Operation: IRP_MJ_CREATE
      Result: PRIVILEGE NOT HELD
      Path: E:Odod-LSEdtemptest - 2019-05-04 09-27-40bla.txt
      TID: 2812
      Duration: 0.0000581
      Desired Access: Generic Write, Read Attributes, Write DAC, Write Owner, Access System Security
      Disposition: OpenIf
      Options: Complete If Oplocked
      Attributes: n/a
      ShareMode: Read
      AllocationSize: 0
      Impersonating: DAXBackup


      In the past few days, I also have learned that for members of certain groups (among them Administrator and Backup Operators) there are two tokens: a normal one and an elevated one, where only the latter enables the special privileges of such groups.



      So (please note that this is just naive guessing and that I am not an expert in this field): Could the network service / system process on the server impersonate the non-elevated version of the user account Backup when handling the network traffic on behalf of that user, and could this be the reason for the problem? Could I solve the problem by somehow making the network service / system process impersonate the elevated version of the user account Backup when handling the network traffic on behalf of that user? If yes, how?



      P.S. If my above theory is silly, the title of this post will be misleading, so feel free to correct it ...






      networking windows-server-2008-r2 permissions access-control-list administrative-privileges




      networking windows-server-2008-r2 permissions access-control-list administrative-privileges






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited May 4 at 10:11







      Binarus

















      asked May 4 at 10:05









      BinarusBinarus

      21318




      21318




















          1 Answer
          1






          active

          oldest

          votes


















          1














          Your theory is correct. This behaviour can be changed via a registry setting.



          In



          HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem


          find or create the DWORD value LocalAccountTokenFilterPolicy and set it to 1. You may then need to reboot.



          This will allow remote connections to have unrestricted administrator access.






          share|improve this answer























          • Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.

            – Binarus
            May 6 at 11:42












          • And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).

            – Binarus
            May 6 at 11:46












          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965855%2fhow-to-make-a-service-or-the-system-process-impersonate-the-elevated-variant%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          Your theory is correct. This behaviour can be changed via a registry setting.



          In



          HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem


          find or create the DWORD value LocalAccountTokenFilterPolicy and set it to 1. You may then need to reboot.



          This will allow remote connections to have unrestricted administrator access.






          share|improve this answer























          • Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.

            – Binarus
            May 6 at 11:42












          • And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).

            – Binarus
            May 6 at 11:46
















          1














          Your theory is correct. This behaviour can be changed via a registry setting.



          In



          HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem


          find or create the DWORD value LocalAccountTokenFilterPolicy and set it to 1. You may then need to reboot.



          This will allow remote connections to have unrestricted administrator access.






          share|improve this answer























          • Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.

            – Binarus
            May 6 at 11:42












          • And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).

            – Binarus
            May 6 at 11:46














          1












          1








          1







          Your theory is correct. This behaviour can be changed via a registry setting.



          In



          HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem


          find or create the DWORD value LocalAccountTokenFilterPolicy and set it to 1. You may then need to reboot.



          This will allow remote connections to have unrestricted administrator access.






          share|improve this answer













          Your theory is correct. This behaviour can be changed via a registry setting.



          In



          HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem


          find or create the DWORD value LocalAccountTokenFilterPolicy and set it to 1. You may then need to reboot.



          This will allow remote connections to have unrestricted administrator access.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered May 5 at 21:10









          Harry JohnstonHarry Johnston

          4,05512040




          4,05512040












          • Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.

            – Binarus
            May 6 at 11:42












          • And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).

            – Binarus
            May 6 at 11:46


















          • Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.

            – Binarus
            May 6 at 11:42












          • And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).

            – Binarus
            May 6 at 11:46

















          Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.

          – Binarus
          May 6 at 11:42






          Accepted and +1. Actually, this answer is ingenious, and I would give you 20000 reputation if I could. Heck, I have spent more than a whole day with the UI going through every group policy to identify the relevant one, not knowing if my theory could be correct, and then they hide it and you only can change this via registry. Great.

          – Binarus
          May 6 at 11:42














          And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).

          – Binarus
          May 6 at 11:46






          And furthermore, even I had found the page you linked, I wouldn't have noticed that this was the solution to my problem, because this page is plain wrong in talking only about the Administrators group (I added my Backup user to that group for test purposes only, but wouldn't have accepted this as a permanent solution). But fortunately, that registry change also elevates accounts which belong to the Backup Operators group (and probably those belonging to other certain groups which have split tokens, but I didn't test).

          – Binarus
          May 6 at 11:46


















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965855%2fhow-to-make-a-service-or-the-system-process-impersonate-the-elevated-variant%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

          Image
          centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
          Read more

          Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

          Image
          AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
          Read more

          What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

          Image
          When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
          Read more