Solved

Windows Server 2012 OS Bug?  SeCreateGlobalPrivilege works for all accounts except Administrator!

Posted on 2013-02-07
3
1,985 Views
Last Modified: 2013-02-14
Update:
Wrote a quick test utility to both query the status of the SeCreateGlobalPrivilege and test the CreateFileMapping(..."Global\\mapname" ...).
Results:
Before adding 'Everyone' to User Rights Assignment -'Create Global Objects'
     -non-admin account: Fails (as it should)
After adding 'Everyone' to - User Rights Assignment -'Create Global Objects'
     -non-admin account: Succeeds (as it should)
     -admin account 'Run As Admin' -> Succeeds
     -admin account, just double clicking: Fails!
     -admin account, Server 2008 R2, just double clicking: Succeeds

Should not the admin account processes have the 'everyone' privileges? Is there somewhere I can specify user rights for the administrator when he doesn't use 'Run as admin'?


Original Body:
Hi, I'm updating a Server 2003 dll (c++, visual studio 2005) to run under Windows 2012 (Visual studio 2012).  My call to 'CreateFileMapping' fails with GetLastError/FormatMessage returning 'Access Denied'.  

I can't find 'SeCreateGlobalPrivilege', not sure where to look in 2012.  Under 'Local Security Policy - Local Policies - User Rights Assignment - ' I have added 'everyone' to the 'Create Global Objects' policy, not sure if that is the same thing.

This is a stand alone server, not running active directory, in a small private network with no connection to the outside world, so I'm not concerned about any security risk associated with this privilege.  

Multiple TS clients access the same file, so it does need to be global.

Any help would be greatly appreciated!


      {// Attempt to create a new file map
            SECURITY_DESCRIPTOR SecurityDescriptor;
            if (!InitializeSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
                  MessageBox(NULL,"2InitializeSecurityDescriptor failed",NULL,MB_OK);
            BOOL bDaclPresent=TRUE;
            PACL pDacl=NULL;
            BOOL bDaclDefaulted=FALSE;
            if (!SetSecurityDescriptorDacl(&SecurityDescriptor, bDaclPresent, pDacl, bDaclDefaulted))
                  MessageBox(NULL,"2SetSecurityDescriptorDacl failed",NULL,MB_OK);

            SECURITY_ATTRIBUTES SecurityAttributes;
            SecurityAttributes.nLength=sizeof(SECURITY_ATTRIBUTES);
            SecurityAttributes.lpSecurityDescriptor=&SecurityDescriptor;
            SecurityAttributes.bInheritHandle=TRUE;

            m_hMapping = CreateFileMapping(INVALID_HANDLE_VALUE,      // Indicates a memory file rather than a real disk file.
            &SecurityAttributes,          // Security attributes
            PAGE_READWRITE,// Data protection
            0,             // High 32-bits of size
            iSizeInBytes,      // Low 32-bits of size
            pszMapName);   // Map name of object
            if(m_hMapping)        
            {// Successfully Created New File
                  bExistFile=false;
            }
            else
            {
                  DWORD err = GetLastError();
                  char MsgBuf[8192];
                  FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), MsgBuf, (DWORD)(sizeof(MsgBuf)), NULL);
                  MessageBox( NULL, MsgBuf, "2CreateFileMapping failed", MB_OK | MB_ICONINFORMATION );
            }
      }
0
Comment
Question by:dcShaver
  • 2
3 Comments
 

Author Comment

by:dcShaver
ID: 38865817
Note: The CreateFileMapping call works if I change the Map Name prefix from "Global" to "Local", so it does appear to be a privilege issue.  (Unfortunately I need it to be Global.)
0
 
LVL 4

Accepted Solution

by:
jiangsheng earned 500 total points
ID: 38870152
This is the expected behavior, the first entry in the  UAC filtered token  is deny buildin\administrators which has the highest priority. You can inspect the effect using Process Explorer (switch to the security tab of the process's property page).

You need to run the global object creating code under another process (e.g. an elevated process launched from your program or a windows service)
0
 

Author Closing Comment

by:dcShaver
ID: 38890414
Thank you for the explanation.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What the difference between blend and Visual Studio 3 179
Server 2012 R2 missing roles and features 2 136
Problem to open text file 11 131
sccm importing drivers 4 45
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question