Solved

Windows Server 2012 OS Bug?  SeCreateGlobalPrivilege works for all accounts except Administrator!

Posted on 2013-02-07
3
2,032 Views
Last Modified: 2013-02-14
Update:
Wrote a quick test utility to both query the status of the SeCreateGlobalPrivilege and test the CreateFileMapping(..."Global\\mapname" ...).
Results:
Before adding 'Everyone' to User Rights Assignment -'Create Global Objects'
     -non-admin account: Fails (as it should)
After adding 'Everyone' to - User Rights Assignment -'Create Global Objects'
     -non-admin account: Succeeds (as it should)
     -admin account 'Run As Admin' -> Succeeds
     -admin account, just double clicking: Fails!
     -admin account, Server 2008 R2, just double clicking: Succeeds

Should not the admin account processes have the 'everyone' privileges? Is there somewhere I can specify user rights for the administrator when he doesn't use 'Run as admin'?


Original Body:
Hi, I'm updating a Server 2003 dll (c++, visual studio 2005) to run under Windows 2012 (Visual studio 2012).  My call to 'CreateFileMapping' fails with GetLastError/FormatMessage returning 'Access Denied'.  

I can't find 'SeCreateGlobalPrivilege', not sure where to look in 2012.  Under 'Local Security Policy - Local Policies - User Rights Assignment - ' I have added 'everyone' to the 'Create Global Objects' policy, not sure if that is the same thing.

This is a stand alone server, not running active directory, in a small private network with no connection to the outside world, so I'm not concerned about any security risk associated with this privilege.  

Multiple TS clients access the same file, so it does need to be global.

Any help would be greatly appreciated!


      {// Attempt to create a new file map
            SECURITY_DESCRIPTOR SecurityDescriptor;
            if (!InitializeSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
                  MessageBox(NULL,"2InitializeSecurityDescriptor failed",NULL,MB_OK);
            BOOL bDaclPresent=TRUE;
            PACL pDacl=NULL;
            BOOL bDaclDefaulted=FALSE;
            if (!SetSecurityDescriptorDacl(&SecurityDescriptor, bDaclPresent, pDacl, bDaclDefaulted))
                  MessageBox(NULL,"2SetSecurityDescriptorDacl failed",NULL,MB_OK);

            SECURITY_ATTRIBUTES SecurityAttributes;
            SecurityAttributes.nLength=sizeof(SECURITY_ATTRIBUTES);
            SecurityAttributes.lpSecurityDescriptor=&SecurityDescriptor;
            SecurityAttributes.bInheritHandle=TRUE;

            m_hMapping = CreateFileMapping(INVALID_HANDLE_VALUE,      // Indicates a memory file rather than a real disk file.
            &SecurityAttributes,          // Security attributes
            PAGE_READWRITE,// Data protection
            0,             // High 32-bits of size
            iSizeInBytes,      // Low 32-bits of size
            pszMapName);   // Map name of object
            if(m_hMapping)        
            {// Successfully Created New File
                  bExistFile=false;
            }
            else
            {
                  DWORD err = GetLastError();
                  char MsgBuf[8192];
                  FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), MsgBuf, (DWORD)(sizeof(MsgBuf)), NULL);
                  MessageBox( NULL, MsgBuf, "2CreateFileMapping failed", MB_OK | MB_ICONINFORMATION );
            }
      }
0
Comment
Question by:dcShaver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:dcShaver
ID: 38865817
Note: The CreateFileMapping call works if I change the Map Name prefix from "Global" to "Local", so it does appear to be a privilege issue.  (Unfortunately I need it to be Global.)
0
 
LVL 4

Accepted Solution

by:
jiangsheng earned 500 total points
ID: 38870152
This is the expected behavior, the first entry in the  UAC filtered token  is deny buildin\administrators which has the highest priority. You can inspect the effect using Process Explorer (switch to the security tab of the process's property page).

You need to run the global object creating code under another process (e.g. an elevated process launched from your program or a windows service)
0
 

Author Closing Comment

by:dcShaver
ID: 38890414
Thank you for the explanation.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A theme is a collection of property settings that allow you to define the look of pages and controls, and then apply the look consistently across pages in an application. Themes can be made up of a set of elements: skins, style sheets, images, and o…
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question