question

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 asked MikhailFirsov-1277 answered

Question on privileges in PS

Hello,

As you already may know, if some operation is performed under administrative account but without elevated privileges - for example, starting PS console NOT As administrator - this operation will be using the non-administrative token, thus "downgrading" administrator privileges to the privileges of an ordinary user. It means that such administrator is in fact just a user (in terms of privileges and permissions) and there should not be - at least I have no grounds to think differently - any difference between such administrative account and plain user account.
Nevertheless, when I issue the following command as an administrator without administrative token the command completes successfully:
111366-q1.png


...but when I run it under user account it returns nothing, but the error under the hood is Access Denied:
111399-q2.png


Q1: Am I correct thinking the administrative accounts without elevated tokens must have the same level of privileges as that of the odinary users?

Q2: If Q1 = yes ... why does the command above work differently?

Thank you in advance,
Michael

windows-serverwindows-server-powershell
q1.png (53.7 KiB)
q2.png (27.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered

Well, first you'd have to separate the "permission" from the "privilege". You'd also have to take into account that the "administrator" account has a unique SID (S-1-5-21-domain-500) -- that can have an effect on what the account is capable of doing (privilege) and what it is allowed to access (permission).

"Access Denied" is related to "permission" and, so, to group membership. The accounts (except for that "well-known SID") should be no different.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered

Sorry for the delay...

Thank you for the interesting question/explanation but it's a bit different... my question was about if there should be any difference between an administrative account which had not requested administrative privileges and an account that never had such privileges at all...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered

" "administrator" account has a unique SID (S-1-5-21-domain-500) " - oh, you're right - forgot that I was conducting my tests under the built-in Administrator account which always runs with the elevated token...

Thank you for the help!

Regards,
Michael

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.