Adding the Administrators group to a user token
I'm attempting to launch a process running with Administrator privileges from a service running on session 0. I'm using WTSQueryUserToken(WTSGetActiveConsoleSessionId(), ...) in my service (which runs as LOCAL SYSTEM) to get the user's token and then call
CreateProcessAsUser() to launch the process.
However, I need to add the Administrators group to the user token, but I'm severely intimidated by all the security API functions and I'm afraid I'll be adding something with unintended side effects.
What's the best way to get the same elevated token that a UAC prompt converts an ordinary user token into?
The Elevated token is stored in the user's token. The caller must have the SeTcbPrivilege and it must be enabled. You can call GetTokenInformation + TokenLinkedToken which will return a TOKEN_LINKED_TOKEN structure which contains the handle
to the Full token.
thanks
Frank K [MSFT]
Follow us on Twitter, www.twitter.com/WindowsSDK
Similar Messages
-
Hi
With restricted groups I can specify the end user -domain- accounts that are members of the local administrators group on domain PCs. But - I need a particular LOCAL account on all the machines to keep its membership of the local administrators group for testing reasons. At the moment restricted groups is striping this local account of its admin access.
Is it possible to specify a -local- computer account as admin on all the PCs via group policy or it can only be done with domain accounts?
thanksYou are asking for local accounts to be managed via "Restricted Groups".
Yes, it is possible.
Rajesh showed you one way with domain groups. In his version "Administrators" group will only contain those accounts
that are specified in the GPO, no manually added accounts. This is not always desired.
If you wish to have an account (group or user, local or domain) to be added to "Administrators" group while keeping all the other
members, proceed like this:
- create the local account on the client(s)
- in the GPO select "Add Group" in "Restricted Groups".
- type in the name of the local account, e.g. "TestID"
- in the appearing dialogue choose "This group is a member of" => Add
- type in "Administrators"
Link the GPO and that's all.
The original MS description for "Restricted Groups".is here:
http://support.microsoft.com/kb/279301/en-us
Another nice one here:
http://www.frickelsoft.net/blog/?p=13
Besides that, a great solution to manage local accouts is GP Preference Extension "Local Users and Groups".
You can simply create a "Local Users and Groups" Item (computer or user based) and specify the needed options.
http://technet.microsoft.com/en-us/library/cc731972.aspx
Of course you need some prerequisites (at least one Vista or Winows 2008 for management and the GPP CSE on each target machine).
If you are new to GPP, these links will help you to get into it:
http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=42E30E3F-6F01-4610-9D6E-F6E0FB7A0790&displaylang=en
http://support.microsoft.com/kb/943729/en-us
http://technet.microsoft.com/en-us/library/cc732027.aspx
http://technet.microsoft.com/en-us/library/cc731892(WS.10).aspx
Patrick -
USMT ChangeGroup command to remove users from the Administrators group is not working
I'm running USMT in a task sequence, and using this in my config.xml to remove admin rights:
<ProfileControl>
<localGroups>
<mappings>
<changeGroup from="Administrators" to="Users" appliesTo="AllUsers">
<include>
<pattern>*</pattern>
</include>
</changeGroup>
</mappings>
</localGroups>
</ProfileControl>
I see in the scanstate log that this happens:
[0x000000] ProfileControl: Parsing ChangeGroup Administrators => Users for AllUsers
[0x000000] ProfileControl: Parsing ChangeGroup (Administrators => Users) 1 include nodes
[0x000000] ProfileControl: Parsing ChangeGroup (Administrators => Users) 0 exclude nodes
[0x000000] ProfileControl: Parsing ChangeGroup is done
But, in the loadstate on the other end, this happens:
[0x000000] Local Group Membership Mapping: XYX\User123 Added to Administrators
I've tried USMT 4 and 5, changed appliesTo="AllUsers" to "MigratedUsers", i've made the <include> more specific. I can see in the C:\_SMSTaskSequence folder that the config.xml does have the correct info in it.
I thought I had this tested and working previously, and noticed in some recent migrations that the user still had admin rights. I can reproduce the issue on demand now. I recently upgraded sccm 2012 to r2, but I'm not sure what that would have to do
with the issue. I am not using the USMT 6 package (going from XP still). It may very well be that my testing was flawed, and I didnt have it working in the first place
Any suggestions are welcome.you bet, it is a vbs:
Dim network, group, user
Set network = CreateObject("WScript.Network")
Set group = GetObject("WinNT://" & network.ComputerName & "/Administrators,group")
For Each user In group.members
If UCase(user.name) <> "ADMINISTRATOR" And UCase(user.name) <> "DOMAIN ADMINS" And UCase(user.name) <> "SYSTEM WORKSTATION (ADMINISTRATOR)" Then
group.remove user.adspath
End If
Next
Obviously you can modify the list of allowed admin accounts to suit your enviornment. -
Hello,
Can a domain user
that does not belong to the Administrators group,
be able to change your password ?
I tried to create a domain user account
without administrative access. This user account have
permission to access Windows Server
2012 via Remote Desktop.
I tried to access the same account
to the Active Directory Users and Computers,
i was amazed, because the user account it can changed
the password for multiple accounts,
included one administrator account.
Best regards,
RicardoHi Ricardo,
I agree with Martin, we can check the membership about this user account. Besides, we can refer to following steps to check the memberships:
Start the ADUC on windows 2012.
Right-click the user account and select
Properties, then click the Member Of tab.
Check which group is the user account belongs to.
In addition, i suggest you create a new user account, and check if the new account can change other user’s password.
Best Regards,
Erin -
Hi I would like to be able to check if the logged in user is a member of the administrator group programatically through c#
I know that I can get the user's GUID / check if they are actually a user in project server (resource table in reporting DB) but I am having trouble finding out how to programatically check if they are a member of the "Administrators" group.
Could somebody please provide a code sample of how to check if a user is in the administrators group when you have their GUID or username or name?
I did not see a table in the reporting DB that has this so I am guessing this has to be done through the PSI..
Thanks in advance!
BTW.. i am just wondering is there a way to check each groups permission levels? was wondering that if it is possible, what is the best way to implement a similar security model to that of the actual project server 2010hi Amit :) I ended up finding the answer myself before you posted here but thank you for your reply anyways, it is basically the same thing that I did.
This is what I ended up doing :) Basically I have three different types of users configured in my web.config - admins, readwrite users, and read only users. In my code here I loop through and find out who the person is. Based on what group they are in I
can later show/hide different options in my application :)
SvcSecurity.SecurityClient security = new SecurityClient(ENDPOINT_PROJ_SECURITY);
string adminGroupsString = ConfigurationManager.AppSettings["adminGroups"];
string readWriteString = ConfigurationManager.AppSettings["readWriteGroups"];
string readOnlyString = ConfigurationManager.AppSettings["readOnlyGroups"];
List<string> adminGroups = new List<string>(adminGroupsString.Split(';'));
List<string> readWriteGroups = new List<string>(readWriteString.Split(';'));
List<string> readOnlyGroups = new List<string>(readOnlyString.Split(';'));
List<Guid> adminGroupIDs = new List<Guid>();
List<Guid> readWriteGroupIDs = new List<Guid>();
List<Guid> readOnlyGroupIDs = new List<Guid>();
List<Project> projectList = new List<Project>();
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["RDB"].ConnectionString);
con.Open();
SqlCommand command = new SqlCommand("SELECT * FROM MSP_EpmResource where ResourceNTAccount = @username", con);
command.Parameters.AddWithValue("@username", this.User.Identity.Name);
SqlDataReader reader = command.ExecuteReader();
if (reader.Read())
string resourceID = reader["ResourceUID"].ToString();
//Get a list of security groups
SvcSecurity.SecurityGroupsDataSet sgds = security.ReadGroupList();
//Get the IDs of the required groups
foreach (SvcSecurity.SecurityGroupsDataSet.SecurityGroupsRow ds in sgds.SecurityGroups)
if (adminGroups.Exists(group => ds.WSEC_GRP_NAME == group))
adminGroupIDs.Add(ds.WSEC_GRP_UID);
else if (readWriteGroups.Exists(group => ds.WSEC_GRP_NAME == group))
readWriteGroupIDs.Add(ds.WSEC_GRP_UID);
else if (readOnlyGroups.Exists(group => ds.WSEC_GRP_NAME == group))
readOnlyGroupIDs.Add(ds.WSEC_GRP_UID);
bool isAdmin = false;
//Go through each group using the id and check if the current
//user is in that group (for example here check if the user is an admin)
foreach (Guid id in adminGroupIDs)
SecurityGroupsDataSet group = security.ReadGroup(id);
foreach (SvcSecurity.SecurityGroupsDataSet.GroupMembersRow member in group.GroupMembers)
if (member.RES_UID.ToString().Equals(resourceID))
isAdmin = true;
Session["createReport"] = "true";
break;
//If the user is not an admin then continue checking who they are
if (!isAdmin)
bool readWrite = false;
//Check if the user is a read write group member
foreach (Guid id in readWriteGroupIDs)
SecurityGroupsDataSet group = security.ReadGroup(id);
foreach (SvcSecurity.SecurityGroupsDataSet.GroupMembersRow member in group.GroupMembers)
if (member.RES_UID.ToString().Equals(resourceID))
Session["createReport"] = "true";
readWrite = true;
break;
//If the user is not a read write group member either then check if they are a team member
if (!readWrite)
foreach (Guid id in readOnlyGroupIDs)
SecurityGroupsDataSet group = security.ReadGroup(id);
foreach (SvcSecurity.SecurityGroupsDataSet.GroupMembersRow member in group.GroupMembers)
if (member.RES_UID.ToString().Equals(resourceID))
Session["createReport"] = "false";
break;
Cheers! :) -
Not a member of the Administrators group
My wife wants to use my iMac to do office work for her employer at home.
To do this, she has to install some employer software on my iMac. But when she tries to install her employers Mac software, she get the message "Hardware installation cannot start with this user account. Make sure that the user is a member of the Administrators group on the computer."
To make her a User/Admistrator, do I do the following:
1) Go into System Preferences and clicked on Users & Groups.
2) With the Current User as Admin checked, clicked on the padlock to unlock it and type in my password.
3) With the padlock unlocked, under Login Options, do I click on the + to establish a new user account for her?
4) Then, highlight the new account and click on the box "Allow user to administer this computer" and relock the padlock?
5) When the computer reboots, will it reboot with her as Administrator so she can load her employers software?
Once I have done this, in the future when she wants to use her new account, does she go into System Preferences - Users & Groups, unlock the padlock, click on her account to highlight it, relock the padlock and reboot the computer.
Thanks,
jzach52Yes to 1 thru 5
To access the account it is faster just to logout and login rather than rebooting. -
LDAP Group is empty while the LDAP group have 150 users
Hi,
My BOE is mapped to the corporate LDAP, and the LDAP group is already mapped to a BO group.
The problem is that the LDAP Group is empty while the LDAP group have 150 users.
Currently, just after each user login at the first time the user is created under the BO Group.
Is there any way to populate the BO Group automatically?
Best Regards,
DoronSHi,
yes there is. Check your LDAP Authentication Tab and select "Create new aliases when the Alias Update occurs"
It should be under your Alias settings.
But please note that you than require 150 licenses. So each users gets a license even if he doesnt use the BOE System but is part of the LDAP Group.
Regards
-Seb. -
Ouch!
Did a Server migration from Server 2003 to Server 2012 R2. Virtualized the Domain controller and a File Server.
Used Robocopy, icacls and takeown to get the permisions and access to work correctly.
One user we will call here Mary is a member of three groups: HR, HRA and Boardroom but when I give a test file Administrators only access she can breeze right in!
I do not know if this was how it worked before the migration but how do I stop it.
Effective permissions appear correct but she just tra-la-la's right on in!
Any ideas?
LiamPlease do this after you verify all permission settings for all the groups the account is associated with. Also, make sure you check the NTFS folder permissions before doing this as well.
Since the same result happens on multiple computers, it is not the profile.
I am recommending you delete the AD account (or rename to backup the account).
It will not effect the users Exchange account, but you will need to link it back to the new AD user account.
You can also delete her profile just to remove it, for the "just in case" scenario.
Don't forget to mark the post that solved your issue as "Answered." By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional -
Allowing the creation of users but not letting them be assigned to the Administrators group?
Hi
I am using Project Server 2013 on-prem, with Project Server Security. We have defined a local administrator group that is intended to allow for a limited set of permissions to local administrators. The reason for this is that we need the individual offices
in a global company to be able to add their own users, but we want the ability to change configuration of Project Server to be controlled centrally.
However I have found that once I give Manage Users and Groups permission to a user in this Local Administrator group they can then simply add themselves to the Administrator group anyway.
Setting policy and training is not proving effective, hence I need to limit this. The desire is for a group that can create users and add values to lookup tables, but not add themselves to the Administrator group.
Is this possible?
Thanks
RyanYou could still take the approach of having your helpdesk assign the permissions and remove the manage users and groups permissions from the local administrators in an office (as opposed to switching to the different permission model).
I'm curious how training and policy isn't working -- you've asked (told) the users not to add themselves to the administration group and yet they do it anyway? Are they doing this so they have permissions to perform some other tasks?
Jason Warren
@jaspnwarren
jasonwarren.ca
habaneroconsulting.com/Insights -
What is the default group of a user created in OID
Hi All,
we integrated EBS with OAM11g(it integrated with OID 11g).
Whenever we created user in EBS is reflecting to OID,But this user is not able to login into OAM.Whenever we assaign the newly created user to 'Administrator, group only able to login into OAM because of we specify 'Administrator' as administrator group.
So now how to set the default group is Administrator for newly flowing users from EBS.
Any idea really appreciated,
Thanks in advance,stevenray1 wrote:
Is the resolution of a photo created in Photo Booth under user control, or is there a single default (and if so, what is that)?
640 x 480 (drug one to the desktop and checked it )
Can the resolution (default or otherwise) be improved in iPhoto?
No
You can export it from iPhoto as a JPEG with a different resolution but can not change the resolution in iPhoto - and increasing the DPI does not increase the resolution of a photo - you can not add quality that is not there
LN -
Using PowerShell 3.0 (And if possible the CIM, not WMI cmdlet), how can I script with | out-file C:\<filename>.txt or .csv option to list all local user accounts & local groups
on remote computers?
Thank You!I don't recall PowerShell V3 introducing anything new to handle local users and groups. You need to use PowerShell V1 methods, using the [ADSI] accelerator and the WinNT: provider. The scripts linked above show this. No need to use WMI (which would probably
be slower).
Here is a script I've used to enumerate all local groups and their members:
$Computer
= "MyServer"
$Computer =
[ADSI]"WinNT://$Computer"
$Groups =
$Computer.psbase.Children | Where {$_.psbase.schemaClassName
-eq "group"}
ForEach ($Group
In $Groups)
"Group: "
+ $Group.Name
$Members
= @($Group.psbase.Invoke("Members"))
ForEach ($Member
In $Members)
$Class
= $Member.GetType().InvokeMember("Class",
'GetProperty', $Null,
$Member, $Null)
$Name
= $Member.GetType().InvokeMember("Name",
'GetProperty', $Null,
$Member, $Null)
"-- Member: $Name ($Class)"
A similar script to enumerate all local users would be:
$Computer
= "MyServer"
$Computer =
[ADSI]"WinNT://$Computer"
$Users =
$Computer.psbase.Children | Where {$_.psbase.schemaClassName
-eq "user"}
ForEach ($User
In $Users)
"User: "
+ $User.Name
Richard Mueller - MVP Directory Services -
The only user was removed from Administrators Group
Hi Experts
We are using Office 365 based Project Online and Project Server Security Mode was applied, also the Active Directory sync was switched to 'OFF' for Administrators Group in PWA. There was only one user which was in the Administrators Group and hence was the
lone user to have access to Project Server 'Groups & Categories' section.
Now I do not know how it happened, but the person logged into the PWA Site, went to Administrators Group and removed his name from the Group and clicked on Save.
As soon as it happened the access right were removed from that user also Now no one has the access to 'Server Settings' page as an administrator. Hence all the admin work is stopped.
My concern was is it possible that by any means can we add any user (or the same user) to the Administrator Group?
Thanks
ManishHello,
If no user has access to do this then the only option you have via the UI is to switch permission modes (to the SharePoint permission mode then back to the Project Server permission mode - this add the Company Administrators (global admins) the Admin group).
Do bear in mind this will remove all of the users from the security groups and reset ALL security so probably not an ideal option. The only other option is to open a support query via your Office 365 tenant and see what Microsoft suggest..
Paul
Paul Mather | Twitter |
http://pwmather.wordpress.com | CPS |
MVP | Downloads -
I am trying to get into the Game Center and download some apps. I enter my user id/password the keep getting a "you are not part of the/this administrators group" message then a cancel/retry command. What do I do to become part of this/the administrators group? I am using a friend's wi-fi...Help!
I am trying to get into the Game Center and download some apps. I enter my user id/password the keep getting a "you are not part of the/this administrators group" message then a cancel/retry command. What do I do to become part of this/the administrators group? I am using a friend's wi-fi...Help!
-
Missing "Administrators" Group in the Netweaver portal??
Hi,
We have a lot of portals, but the "Administrators" group is missing in identity management???
We have this group in all other portals, but now the issue is who should set up this group so it can be found in identity management!
Upload the Group from backend, I guess is not good because this will not set uop the permissions that goes with this group.
It has Super admin and administrator roles in it but giving these two roles to my user don't fix it, so I need to know how to get this group in the portal?
Any idea anyone??Hi Jesper Andersen,
Try to search your group with the first letter in CAPS. "Administrator"
If not, please found you user Administrator or J2EE_admin and tell us with groups you have assigned to this user?
Please remember to evaluate the replays, this incentive the SDN to keep growing,
regards,
Fabio -
Is there anything the Administrator can do that Administrators Group cannot?
We have a situation where we are implementing SSO and will no longer be able to log in as a Plumtree database user. (A valid AD account will be required.) Is there anythingthat theAdministrator (User ID = 1) can do that a member of the Administrators Group cannot? I mean anything. I need a definitive answer on this to make a call on if we need to take the time now to find a way to map an AD account to a Plumtree database user so we can log in as the Administrator through SSO. Thanks, Plumtree!
SarahThis is critical for us as well. Currently we are only using the Administrators Group so that auditable AD accounts are recorded as performing administrative actions. We haven't run into any issues but also need a Plumtree absolute committment that we are in the clear only using the Adminstrators Group.
Maybe you are looking for
-
Safari is constatnly crashing. Please help!
I can no longer access some of my favorite websites because safari just quits unexpectedly. I'm not really sure how to fix the problem but it's driving me nuts. I have a 17" Power Book G4 laptop with OSX 10.3 I beilieve. Here is an example of the err
-
My husband and I both have email accounts on my iMac using Mavericks. Often we receive the same emails. Now when one of us opens an email that has been sent to both of us, Mavericks considers the email as read on both accounts. Mountain Lion did not
-
How do i get my iPhoto to highlight in the iCloud menu?
I have a macbook pro with OS X 10.7.5 and i cant get my iphoto to highlight on icloud. it says it needs update but when i click on update there are no available updates only incompatible updates. how do i fix this?
-
Invoice date earlier than GR date
Hi Friends, We have GR based IV activated in our system. This helps us in preventing Invoice posting before GR. However currently the system is allowing me to post the invoice with the posting date earlier thatn the GR posting date. Can anyone please
-
TcpInitiator is not running - java.lang.IllegalStateException
This is the first time we have seen this exception on our Extend-client side in the past 6 months. What is the reason we are getting this? How can this be fixed? Do we need to do some autostart some where? java.lang.IllegalStateException: XYZ-tcpProx