...
Issue
When elevating process rights with Application Control Solution (ACS) on Windows Vista or Windows 7, there are times when the rights given by ACS appear to be insufficient. The process still doesn't work as it does when the user is an administratorlogged in as Administrator, accepts the UAC box, or the process is run with the right-click Run as As Administrator option. Or the process has messages about not having Or an error is returned stating you do not have sufficient rights or not being able to access something.
Resolution
Windows Vista and Windows 7 introduced changes to security which included creating two tokens for a users when they log in. The lower privilege token is the one always used unless the user goes through UAC or other processes. ACS allows administrators to choose which token should be used to elevate certain processes. The lower privilege token, if it works, is the better option as it has fewer privileges and thus protects the system better. But if necessary the higher-privilege token can be used by ACS when manipulating the processes process's security configuration.
To do thisset the unrestricted token, do the following steps:
- Clone the Add Administrative Rights action.
- Add the Use User's Unrestricted Token option to the new
...
- cloned action, and save the new action with a new
...
- name (such as "Unrestricted Token - Add Admin Rights").
- Add the new action to new policies or change existing policies and
...
- remove the old action
...
- .
- Add the new action and save the changes.
- Then update the NS/SMP agent client policies.
- The ACS agent has to retrieve the details of the new action from the NS/SMP server via the ACS
...
- web service.
- The change may take a few minutes to reach the client machine after the client policies have updated depending on how busy the NS/SMP server is.