When you remove administrative rights for applications using the Remove Administrative Rights action, there is an advanced feature that allows you to apply restricted Security Identifiers (SIDs), further restricting access to securable objects.
When you specify any Restricted SID then not only does the Security Descriptor need to allow access to the user, but also allow access explicitly to the Restricting SID. [[Who should use this advanced feature?]]
When to Use Restricted ID
- Use case for Restricted SID is creating a sandbox and then putting in place a Restricted SID to further restrict the apps in the sandbox.
- Anything that the Restricted SID is applied to will only get Read access to the user registry and won’t actually have Read to the local machine registry so it can do very little and a lot of apps may not work correctly under this model. And the same applies to the file system; not only do you as the user need access to a file but also explicitly has to have the Restricted SID. Ultimately, it’s just severely locked down.
Our restricted process option leverages the Windows functionality that prevents restricted SID's from having Write access to protected resources. (For more details, go to Restricted Tokens on the Windows Dev Center.) Another benefit of this is that Restricted Processes do not have rights to open any network-based resource, such as file servers.
...