Risks with the Interactive local account being added to the local GP in the create global objects user rights to enable enhanced functionality in the newer App space developed in house and potentially

Posted on 2010-08-31
Last Modified: 2012-05-10
The Server8.inf file that is imported in the SOE build process on the Citrix servers in both farms, which is the server SOE that is applied to all servers and we make adjustments based on requirements, has as a component (line 58) some adjustments to the local user account 'INTERACTIVE'
In particular this account is removed from the local user rights assignment, 'Create Global Objects'
We have found recently with some of the Oracle in house created front end applications, being they run under the user context and create named pipes to Oracle backend based on tnsnames.ora files rather than a SystemDSN that these application/s (also some .net apps) throw access exceptions and security audit outputs such as SeCreateGlobalPrivilege failures
By including the Interactive account on the Create Global objects, as is the case on a Desktop, we can allow applications to function correctly under a non privilege user context eg not require the Application AD group to be added to Power users locally and in some cases the Local Admins group.
Question is, Would there be any IT security issues with the Interactive local account being added to the local GP in the create global objects user rights to enable enhanced functionality in the newer App space developed in house and potentially remove some elevated privileges that have been applied in other cases?

If so what what would be a consequence and remedy?
Question by:susmonkey

Accepted Solution

up_grayed_out earned 500 total points
ID: 33567854
There's a previous EE thread with some good info on this.

MS basically recommends that you restrict this right to admins. That said, I've had to make the same exception in order to support Oracle. You are still in keeping with the least privelege principal, since the account actually needs this right to perform it's intended action. Simply giving the account this right, is a lot more fine-tuned then making the account an admin, so you're doing your best to mitigate any risk.

So, in summary, I'd give the account the create global objects right.
LVL 68

Expert Comment

ID: 34434153
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 116
Auto Smartport macro for Dell and HP laptops 2 53
Propagate Applocker rules to all laptops/PCs in the domain 10 26
Network access 4 21
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now