Solved

Windows Server 2012 OS Bug?  SeCreateGlobalPrivilege works for all accounts except Administrator!

Posted on 2013-02-07
3
1,900 Views
Last Modified: 2013-02-14
Update:
Wrote a quick test utility to both query the status of the SeCreateGlobalPrivilege and test the CreateFileMapping(..."Global\\mapname" ...).
Results:
Before adding 'Everyone' to User Rights Assignment -'Create Global Objects'
     -non-admin account: Fails (as it should)
After adding 'Everyone' to - User Rights Assignment -'Create Global Objects'
     -non-admin account: Succeeds (as it should)
     -admin account 'Run As Admin' -> Succeeds
     -admin account, just double clicking: Fails!
     -admin account, Server 2008 R2, just double clicking: Succeeds

Should not the admin account processes have the 'everyone' privileges? Is there somewhere I can specify user rights for the administrator when he doesn't use 'Run as admin'?


Original Body:
Hi, I'm updating a Server 2003 dll (c++, visual studio 2005) to run under Windows 2012 (Visual studio 2012).  My call to 'CreateFileMapping' fails with GetLastError/FormatMessage returning 'Access Denied'.  

I can't find 'SeCreateGlobalPrivilege', not sure where to look in 2012.  Under 'Local Security Policy - Local Policies - User Rights Assignment - ' I have added 'everyone' to the 'Create Global Objects' policy, not sure if that is the same thing.

This is a stand alone server, not running active directory, in a small private network with no connection to the outside world, so I'm not concerned about any security risk associated with this privilege.  

Multiple TS clients access the same file, so it does need to be global.

Any help would be greatly appreciated!


      {// Attempt to create a new file map
            SECURITY_DESCRIPTOR SecurityDescriptor;
            if (!InitializeSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
                  MessageBox(NULL,"2InitializeSecurityDescriptor failed",NULL,MB_OK);
            BOOL bDaclPresent=TRUE;
            PACL pDacl=NULL;
            BOOL bDaclDefaulted=FALSE;
            if (!SetSecurityDescriptorDacl(&SecurityDescriptor, bDaclPresent, pDacl, bDaclDefaulted))
                  MessageBox(NULL,"2SetSecurityDescriptorDacl failed",NULL,MB_OK);

            SECURITY_ATTRIBUTES SecurityAttributes;
            SecurityAttributes.nLength=sizeof(SECURITY_ATTRIBUTES);
            SecurityAttributes.lpSecurityDescriptor=&SecurityDescriptor;
            SecurityAttributes.bInheritHandle=TRUE;

            m_hMapping = CreateFileMapping(INVALID_HANDLE_VALUE,      // Indicates a memory file rather than a real disk file.
            &SecurityAttributes,          // Security attributes
            PAGE_READWRITE,// Data protection
            0,             // High 32-bits of size
            iSizeInBytes,      // Low 32-bits of size
            pszMapName);   // Map name of object
            if(m_hMapping)        
            {// Successfully Created New File
                  bExistFile=false;
            }
            else
            {
                  DWORD err = GetLastError();
                  char MsgBuf[8192];
                  FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), MsgBuf, (DWORD)(sizeof(MsgBuf)), NULL);
                  MessageBox( NULL, MsgBuf, "2CreateFileMapping failed", MB_OK | MB_ICONINFORMATION );
            }
      }
0
Comment
Question by:dcShaver
  • 2
3 Comments
 

Author Comment

by:dcShaver
ID: 38865817
Note: The CreateFileMapping call works if I change the Map Name prefix from "Global" to "Local", so it does appear to be a privilege issue.  (Unfortunately I need it to be Global.)
0
 
LVL 4

Accepted Solution

by:
jiangsheng earned 500 total points
ID: 38870152
This is the expected behavior, the first entry in the  UAC filtered token  is deny buildin\administrators which has the highest priority. You can inspect the effect using Process Explorer (switch to the security tab of the process's property page).

You need to run the global object creating code under another process (e.g. an elevated process launched from your program or a windows service)
0
 

Author Closing Comment

by:dcShaver
ID: 38890414
Thank you for the explanation.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

The environment that this is running in is SCCM 2007 R2 running on a Windows 2008 R2 server. The PXE Distribution point is running on its own Windows 2008 R2 box. This is what Event viewer showed after trying to start the WDS service:  An erro…
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now