Re: current user rights

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 07/05/05


Date: Tue, 5 Jul 2005 14:44:29 -0500

Apparently the problem is that the users security token does not contain his
membership in the administrators group yet. The user would have to logoff
and logon or use something like "runas" to temporarily elevate the users
rights to execute a file but that would require that the user know admin
credentials or you use a third party runas type utility that can encode user
credentials such as the one from Joeware. You can give a user additional
user rights in the Local Security Policy [secpol.msc] of the server without
making him an administrator. Whether or not there is a user right that is
sufficient for your needs, I don't know offhand. You can use the support
tool whoami while logged on as that user to see information about the
current access session token. --- Steve

http://www.joeware.net/win/free/tools/cpau.htm -- link to Cpau from Joeware
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/whoami-o.asp
 --- whoami

"mkv" <mkv@discussions.microsoft.com> wrote in message
news:69117286-8C9A-4A63-9E5B-A59C31827332@microsoft.com...
> Hi everybody.
> i've got a question about current user rights and access.
> one of our client has a situation when highly restricted users on the TS
> 2003
> in some cases has to have an ability to modify HKEY_CURRENT_USER\Software
> and register one dll (third party application).
>
> an user logon script depends on situation initiates another script (via
> runas) which actually makes current user (CU) a member of local admins
> group.
> So now CU is should be able to complete all action but in reality current
> session still has to access
> to any resource like CU isn't member of local admins group and this is the
> question - why Cu still have no rights to modify registry or register dll?
>
> is there any similar to "gpupdate.exe /force" command to refresh CURRENT
> SESSION USER RIGHTS ?
>
> Thanks for helpful response.
> mkv
>
> P.S.
> at the end of a logon script we remove user from a local admins group so
> all
> limitations are recovered.
> and one more thing - since this is not our environment please do not
> advise
> to change security and user rights on AD level.



Relevant Pages

  • Re: XP network and security issue
    ... Did you change any of the User Rights or Security Options in your Local ... Security Policy around the time this stopped working? ... you are attempting to use has been granted the Network and Interactive logon ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Special privileges assigned to new logon??
    ... can do what tasks such as logon locally and load and unload device drivers. ... You can see what the user rights assignments are in Local Security Policy. ... > I have checked memberships. ...
    (microsoft.public.security)
  • [NT] Vulnerabilities in Microsoft Office Allows Code Execution (MS08-016)
    ... Get your security news from a reliable source. ... Vulnerabilities in Microsoft Office Allows Code Execution ... vulnerability could take complete control of an affected system. ... create new accounts with full user rights. ...
    (Securiteam)
  • [NT] Vulnerability in SMB Allows Code Execution (MS08-068)
    ... Get your security news from a reliable source. ... Vulnerability in SMB Allows Code Execution ... or create new accounts with full user rights. ... Microsoft Windows 2000, Windows XP, and Windows Server 2003, and Moderate ...
    (Securiteam)
  • [NT] Vulnerabilities in .NET Framework Allows Code Execution (MS07-040)
    ... Get your security news from a reliable source. ... Edition Service Pack 2 - ... A remote code execution vulnerability exists in .NET Framework that could ... user is logged in with administrative user rights, ...
    (Securiteam)