?
Solved

Windows Server 2012 OS Bug?  SeCreateGlobalPrivilege works for all accounts except Administrator!

Posted on 2013-02-07
3
Medium Priority
?
2,193 Views
Last Modified: 2013-02-14
Update:
Wrote a quick test utility to both query the status of the SeCreateGlobalPrivilege and test the CreateFileMapping(..."Global\\mapname" ...).
Results:
Before adding 'Everyone' to User Rights Assignment -'Create Global Objects'
     -non-admin account: Fails (as it should)
After adding 'Everyone' to - User Rights Assignment -'Create Global Objects'
     -non-admin account: Succeeds (as it should)
     -admin account 'Run As Admin' -> Succeeds
     -admin account, just double clicking: Fails!
     -admin account, Server 2008 R2, just double clicking: Succeeds

Should not the admin account processes have the 'everyone' privileges? Is there somewhere I can specify user rights for the administrator when he doesn't use 'Run as admin'?


Original Body:
Hi, I'm updating a Server 2003 dll (c++, visual studio 2005) to run under Windows 2012 (Visual studio 2012).  My call to 'CreateFileMapping' fails with GetLastError/FormatMessage returning 'Access Denied'.  

I can't find 'SeCreateGlobalPrivilege', not sure where to look in 2012.  Under 'Local Security Policy - Local Policies - User Rights Assignment - ' I have added 'everyone' to the 'Create Global Objects' policy, not sure if that is the same thing.

This is a stand alone server, not running active directory, in a small private network with no connection to the outside world, so I'm not concerned about any security risk associated with this privilege.  

Multiple TS clients access the same file, so it does need to be global.

Any help would be greatly appreciated!


      {// Attempt to create a new file map
            SECURITY_DESCRIPTOR SecurityDescriptor;
            if (!InitializeSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
                  MessageBox(NULL,"2InitializeSecurityDescriptor failed",NULL,MB_OK);
            BOOL bDaclPresent=TRUE;
            PACL pDacl=NULL;
            BOOL bDaclDefaulted=FALSE;
            if (!SetSecurityDescriptorDacl(&SecurityDescriptor, bDaclPresent, pDacl, bDaclDefaulted))
                  MessageBox(NULL,"2SetSecurityDescriptorDacl failed",NULL,MB_OK);

            SECURITY_ATTRIBUTES SecurityAttributes;
            SecurityAttributes.nLength=sizeof(SECURITY_ATTRIBUTES);
            SecurityAttributes.lpSecurityDescriptor=&SecurityDescriptor;
            SecurityAttributes.bInheritHandle=TRUE;

            m_hMapping = CreateFileMapping(INVALID_HANDLE_VALUE,      // Indicates a memory file rather than a real disk file.
            &SecurityAttributes,          // Security attributes
            PAGE_READWRITE,// Data protection
            0,             // High 32-bits of size
            iSizeInBytes,      // Low 32-bits of size
            pszMapName);   // Map name of object
            if(m_hMapping)        
            {// Successfully Created New File
                  bExistFile=false;
            }
            else
            {
                  DWORD err = GetLastError();
                  char MsgBuf[8192];
                  FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), MsgBuf, (DWORD)(sizeof(MsgBuf)), NULL);
                  MessageBox( NULL, MsgBuf, "2CreateFileMapping failed", MB_OK | MB_ICONINFORMATION );
            }
      }
0
Comment
Question by:dcShaver
  • 2
3 Comments
 

Author Comment

by:dcShaver
ID: 38865817
Note: The CreateFileMapping call works if I change the Map Name prefix from "Global" to "Local", so it does appear to be a privilege issue.  (Unfortunately I need it to be Global.)
0
 
LVL 4

Accepted Solution

by:
jiangsheng earned 1500 total points
ID: 38870152
This is the expected behavior, the first entry in the  UAC filtered token  is deny buildin\administrators which has the highest priority. You can inspect the effect using Process Explorer (switch to the security tab of the process's property page).

You need to run the global object creating code under another process (e.g. an elevated process launched from your program or a windows service)
0
 

Author Closing Comment

by:dcShaver
ID: 38890414
Thank you for the explanation.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What my article will show is if you ever had to do processing to a listbox without being able to just select all the items in it. My software Visual Studio 2008 crystal report v11 My issue was I wanted to add crystal report to a form and show…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question