Unrestricted token

Issue

When elevating process rights with Application Control Solution (ACS) on Windows Vista or Windows 7, there are times when the rights given by ACS appear to be insufficient. The process still doesn't work as it does when the user is logged in as Administrator, accepts the UAC box, or the process is run with the right-click Run As Administrator option. Or an error is returned stating you do not have sufficient rights or access.

Solution

Windows Vista and Windows 7 introduced changes to security which included creating two tokens for users when they log in. The lower privilege token is the one always used unless the user goes through UAC or other processes. ACS allows administrators to choose which token should be used to elevate certain processes. The lower privilege token, if it works, is the better option as it has fewer privileges and thus protects the system better. But if necessary the higher-privilege token can be used by ACS when manipulating the process's security configuration.

To set the unrestricted token, do the following steps:

  1. Clone the Add Administrative Rights action.
  2. Add the Use User's Unrestricted Token option to the new cloned action, and save the new action with a new name (such as "Unrestricted Token - Add Admin Rights").
  3. Add the new action to new policies or change existing policies and remove the old action.
  4. Add the new action and save the changes.
  5. Then update the NS/SMP agent client policies.
  6. The ACS agent has to retrieve the details of the new action from the NS/SMP server via the ACS web service.
  7. The change may take a few minutes to reach the client machine after the client policies have updated depending on how busy the NS/SMP server is.