Problem
When elevating process rights with ACS on Windows Vista or 7 there are times when the rights given by ACS appear to be insufficient. The process still doesn't work as it does when the user is an administrator, accepts the UAC box, or the process is run with the right-click Run as Administrator option. Or the process has messages about not having sufficient rights or not being able to access something.
Resolution
Windows Vista and 7 introduced changes to security which included creating two tokens for a users when they log in. The lower privilege token is the one always used unless the user goes through UAC or other processes. ACS allows administrators to choose which token should be used to elevate certain processes. The lower privilege token, if it works, is the better option as it has fewer privileges and thus protects the system better. But if necessary the higher-privilege token can be used by ACS when manipulating the processes security configuration.
To do this:
- Clone the Add Administrative Rights action
- Add the Use User's Unrestricted Token option to the new, cloned action, and save the new action with a new, descriptive name like "Unrestricted Token - Add Admin Rights"
- Add the new action to new policies or change existing policies and removed the old action and add the new action and save the changes
- Then update the NS/SMP agent client policies
- The ACS agent has to retrieve the details of the new action from the NS/SMP server via the ACS webservice
- The change may take a few minutes to reach the client machine after the client policies have updated depending on how busy the NS/SMP server is