When you remove administrative rights for applications using the Remove Administrative Rights action, there is an advanced feature that allows you to apply restricted Security Identifiers (SIDs), further restricting access to securable objects.
When you specify any Restricted SID then not only does the Security Descriptor need to allow access to the user, but also allow access explicitly to the Restricting SID.
[[Who should use this advanced feature?]]
[[Adjust Process Rights Improvements
Adjust Process Security is an action that allows a process to be protected from tampering by users. ==> how does this apply to Adjust Process Security rather than Remove Admin Rights?]]
[[How does this work in the Console?]]
Our restricted process option leverages the Windows functionality that prevents restricted SID's from having Write access to protected resources. (For more details, go to Restricted Tokens on the Windows Dev Center.)
Another benefit of this is that Restricted Processes do not have rights to open any network-based resource, such as file servers.
Related Links
What is this thing called SID?