Effect of enabling "Create a token object"

I am attempting to understand the vulnerablities being created by enabling the policy "Create a token object" for all domain users.  We are updating a home grown app for use on Windows 7.  The programmers have run into a problem running the app and their easy solution is to enable "Create a token object" policy.

Here is our environment.
This change would apply to Windows 7 R2 workstations. These workstations have the ususal desktop/control panel restrictions.  We are using Applocker to apply the white list. The App locker white list is a detailed list of each executable which can be run.

Before I tell the programmers yes or no, I want to better understand the risks involved.  

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PberSolutions ArchitectCommented:
It essentially grants that user with that right the ability to access ANY local resource on the computer that the user had been granted that access.  It essentially gives them the ability to get full admin rights to any object on the computer without actually making them an admin.  So if that user gets compromised by a hacker or a virus, that hacker or virus can instantly gain full control of that computer without having to attack a security vulnerability.


Personally I would investigate more what object the program is trying to access and maybe just granting more access to that object.  Sometimes you can't get around granting that right.  Since you are building the application internally, you may have the ability to make the program work without having the grant that right.  We have a few commercial applications that require us to have that right and we had to do it, but understand the risk.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
epmmisAuthor Commented:
This is very interesting.

Would you repost the technet URL?  It link reports "Page  Not Found".
PberSolutions ArchitectCommented:
Hmmm. The link works for me.  
Try this link as well:
 If that doesn't work, just go to http://www.technet.com and search for "Create token object"
epmmisAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.