Re: Listing user privileges

I believe that www.sysinternal.com has tool you might use that
looks at the live token and lists out the privileges. It seems to
me the problem going that route is you will see very many that
are not involved as admins have most all.
To clarify the situation . . .
You have developed a true service
When you define this service with the service control manager
to start in a custom account (that has right to log in as service)
the service starts, but cannot write files to specificed area.
If you add that custom account to administrators group of the
machine where installed then the file write works.
???
Notice I got rid to the Domain Admins part, and implied this
is not installed on a DC (administrators group of the machine).
Can you narrow it down to a non-DC install or do you really
need to take the discussion onto DC territory (Adminsitrators
group in domain) ?

"Dave Williams" <davewilliams29@xxxxxxxxx> wrote in message
news:e%23rwpwsPGHA.3192@xxxxxxxxxxxxxxxxxxxxxxx
Hi all, is there a simple utility I can use that will list all the
privileges a user has in a Windows 2000 environment?

A service I've develeoped is getting a failure to create a file on one
user's disk drive but not on another drive in the same system. The problem
is not fixed by granting the user that runs the service full access to the
base directory, but it is fixed by adding the user that runs the service
to the Domain Admins group.

I figure the only way to diagnose this is to work out what the privilege
difference between the user that runs the service as it is, and that user
when it's added to Domain Admins (I will test if the problem occurs if the
user is added to the Administrators group for the domain, which I believe
is the one with all the privileges).

I'd ideally like something that would list all the privileges a user has,
pref using the descriptive name not the symbolic name for the privilege,
and which group they were got through etc.

Or any other suggestions for tracking down this issue!

Thanks,
Dave



.

Relevant Pages

  • Re: Listing user privileges
    ... that Domain Admins (therefore AD controller ... Administrators group) has no advanced privileges on a member server other ...
    (microsoft.public.windows.server.security)
  • Re: Special privileges assigned to new logon??
    ... I am not very faimilar this, but I would say that if he is a member of the ... Administrators group, ... I'm looking through the event log for successful logon or logoff ... > Privileges: SeImpersonatePrivilege ...
    (microsoft.public.security)
  • Re: Listing user privileges
    ... Administrators group of domain is used only on the DCs. ... Domain Admins is member in Administrators group of each ... Administrators group) has no advanced privileges on a member server other ...
    (microsoft.public.windows.server.security)
  • Re: Linux - Poster child for security glitches
    ... > without putting your user account in the Administrators group? ... > totally defeating the purpose of privileges.) ...
    (comp.os.linux.security)
  • Re: Mission Impossible
    ... Force him to use his privileges under a user that is given domain admins ... NOT to log on/operate as the domain "Administrator". ... you already know this person will have privileges to muck about ... > There is a lot of suspicion that this person is messing about with things ...
    (microsoft.public.windows.server.security)