I am attempting to understand the vulnerablities being created by enabling the policy "Create a token object" for all domain users. We are updating a home grown app for use on Windows 7. The programmers have run into a problem running the app and their easy solution is to enable "Create a token object" policy.
Here is our environment.
This change would apply to Windows 7 R2 workstations. These workstations have the ususal desktop/control panel restrictions. We are using Applocker to apply the white list. The App locker white list is a detailed list of each executable which can be run.
Before I tell the programmers yes or no, I want to better understand the risks involved.