<div>
This is very interesting.<br />
<br />
Would you repost the technet URL? &nbsp;It link reports &quot;Page &nbsp;Not Found&quot;.
</div>


This is very interesting.

Would you repost the technet URL?  It link reports "Page  Not Found".

<div>
Hmmm. The link works for me. &nbsp;<br />
Try this link as well:<br />
<a href="http://technet.microsoft.com/en-us/library/dd349804(WS.10).aspx#BKMK_13" rel="ugc">http://technet.microsoft.com/en-us/library/dd349804(WS.10).aspx#BKMK_13</a><br />
&nbsp;If that doesn't work, just go to <a href="http://www.technet.com" rel="ugc">http://www.technet.com</a>&nbsp;and search for &quot;Create token object&quot;
</div>


Hmmm. The link works for me.  
Try this link as well:
http://technet.microsoft.com/en-us/library/dd349804(WS.10).aspx#BKMK_13 [http://technet.microsoft.com/en-us/library/dd349804(WS.10).aspx#BKMK_13]
 If that doesn't work, just go to http://www.technet.com [http://www.technet.com] and search for "Create token object"

<div>
<div class="content wysiwyg-content">
I am attempting to understand the vulnerablities being created by enabling the policy &quot;Create a token object&quot; for all domain users. &nbsp;We are updating a home grown app for use on Windows 7. &nbsp;The programmers have run into a problem running the app and their easy solution is to enable &quot;Create a token object&quot; policy.<br />
<br />
Here is our environment.<br />
This change would apply to Windows 7 R2 workstations. These workstations have the ususal desktop/control panel restrictions. &nbsp;We are using Applocker to apply the white list. The App locker white list is a detailed list of each executable which can be run.<br />
<br />
Before I tell the programmers yes or no, I want to better understand the risks involved. &nbsp;<br />
<br />

</div>
</div>


I am attempting to understand the vulnerablities being created by enabling the policy "Create a token object" for all domain users.  We are updating a home grown app for use on Windows 7.  The programmers have run into a problem running the app and their easy solution is to enable "Create a token object" policy.

Here is our environment.
This change would apply to Windows 7 R2 workstations. These workstations have the ususal desktop/control panel restrictions.  We are using Applocker to apply the white list. The App locker white list is a detailed list of each executable which can be run.

Before I tell the programmers yes or no, I want to better understand the risks involved.  



Effect of enabling &quot;Create a token object&quot;

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Windows 7 is an operating system from Microsoft. Features include multi-touch support, a redesigned Windows Shell with a new taskbar, referred to as the Superbar, a home networking system called HomeGroup, and performance improvements.

Windows 7

A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.

Effect of enabling &quot;Create a token object&quot;

Effect of enabling "Create a token object"