Solved

Server Permissions

Posted on 2016-09-16
8
39 Views
Last Modified: 2016-09-24
Which server permissions allow/deny running files like "openfiles.exe" or "Get-WMIObject"

I am a domain admin and even tried adding myself as a local administrator on the server itself, neither makes a difference, I just get an "Error: Access is Denied".  One server is Server2008 R2 and the other is a Server2012 R2

Thanks
0
Comment
Question by:mickfinley
  • 4
  • 2
  • 2
8 Comments
 
LVL 6

Author Comment

by:mickfinley
ID: 41802162
Ok, I discovered it does execute if I choose "run as administrator"...but why, this is only on a couple of servers, not all of them, what would be different for one Server2008 R2 to require ir, but not another Server2008 R2?
0
 
LVL 6

Accepted Solution

by:
mickfinley earned 0 total points
ID: 41802208
I think I have found it.  Within 'Local Security Policy'>Security Options, there is a policy enabled called 'User Account Control: Run all administrators in Admin Approval mode' ...I can't restart the server yet to know for sure, but it sounds promising and is set different than my other servers
0
 
LVL 76

Expert Comment

by:arnold
ID: 41802641
Once local security policy is changed, the effect should be immediate.  The restrictions implemented for the UAC and similar in 2008 and newer is to avoid compromises that existing in the prior version to shield the system from compromises.

It sounds that on this server, your UAC prompt is disabled, while on the others with this setting still in place, you get prompted when an elevated access is needed that is not present on this one.  Check the control panel and UAC settings to make sure you get prompted in the event rights elevation is required to perform a task.

Think long and hard on whether you want to weaken the "security mechanism" on your system.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 41802666
Agreed there... leave us on if possible!

When you run on a pc or server with us turned on as an admin then you get the rights associated with none admin groups.  e.g. if you try and amend files in a direction and domain users have read and domain administrator have modify rights then unless you run as admin you get the read access associated with normal users group.

Much more to it than that but helps protect your systems and data when you use admin accounts - e.g. if you are using a domain admin accounts on your workstation to login ..
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 6

Author Comment

by:mickfinley
ID: 41805368
UAC on windows is very much like root on linux.  It's just annoying, but since I have found the workaround and know why it's doing it, that was all I needed.  Asking a question sometimes, makes a person think a bit more and I had it figured out very quick right after posting this...thanks for the replies all and maybe it'll help someone else in the future.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 41805379
Really would suggest leaving UAC enabled, all you have to do is start the script or batch file with right click, run as administrator when needed.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41805569
Just be forewarned, the changes you made you may regret. Check the other systems in the same way to see whether they too have the "solution" you implemented on this system.
0
 
LVL 6

Author Closing Comment

by:mickfinley
ID: 41813607
I posted my own solution.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now