Domain Account Does Not Receive Proper Se Privledges from Group Policies
Solution 1
This may be a known bug:
Windows Installer package that requires the SeBackupPrivilege user right fails in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2514642
Symptom
Consider the following scenario:
- You have a computer that is running Windows 7 or Windows Server 2008 R2.
- You install a Windows Installer (.msi) package by using the Windows Installer service.
- Some customer actions in the .msi package require the SeBackUpPrivilege user right.
In this scenario, the .msi package installation fails.
Note: This issue does not occur on a computer that is running Windows Server 2003, Windows XP, Windows Vista, or Windows Server 2008 and that has Windows Installer 4.5 installed.
Cause
This issue occurs because the Windows Installer service 5.0 does not have the SeBackupPrivilege user right in Windows 7 and in Windows Server 2008 R2.
Workaround
To work around this issue, run the following command at an elevated command prompt to set explicit permissions of the SeBackupPrivilege user right for the msiserver service:
sc privs msiserver SeTcbPrivilege/SeCreatePagefilePrivilege/SeLockMemoryPrivilege/SeIncreaseBasePriorityPrivilege/SeCreatePermanentPrivilege/SeAuditPrivilege/SeSecurityPrivilege/SeChangeNotifyPrivilege/SeProfileSingleProcessPrivilege/SeImpersonatePrivilege/SeCreateGlobalPrivilege/SeAssignPrimaryTokenPrivilege/SeRestorePrivilege/SeIncreaseQuotaPrivilege/SeShutdownPrivilege/SeTakeOwnershipPrivilege/SeLoadDriverPrivilege/SeBackupPrivilege
Solution 2
I had the same process whoami /priv
, causing me to question my own sanity (eventually I manually added the account via secpol.msc and still got "disabled", which made me understand GP isn't the issue).
I learnt that backup privileges aren't given by default to any process belonging to a user that has that privilege - processes have to ask for it using AdjPriv
.
Did you try running:
If these samples can't get that privilege, it means something is wrong, and you should try disabling the GP and setting the privillege manually, to see if that solves it.
TLDR: Did you try to actually run the software and see it fail?
`
Sources:
- Windows Dev Center - Privileges
- Windows Dev Center - AdjustTokenPrivileges function
- Windows Dev Center - Enabling and Disabling Privileges in C++
Related videos on Youtube
user2104891
Updated on September 18, 2022Comments
-
user2104891 over 1 year
I am attempting to install software that requires
SeBackupPrivilege
,SeDebugPrivilege
, andSeSecurityPrivilege
but I cannot seem to get my Domain Account to retrieve these specific privileges.I have changed the names for this example, but the user accounts name is
Teddy
and is located in groupTeddy-Group
. This group has been assigned privileges via a group policy calledTeddy-Base
. This group policy is applied to an OU which contains the computer account for the machine in which I am attempting to install the software. Within this group policyTeddy-Group
is applied to:Backup Files and Directories
Debug Programs
andManaging Auditing and Security Log
as requested by the installer.Upon running
rsop.msc
on the machine, I see the policy has been correctly applied, yet when I runwhoami /priv
I can see the privileges are not applied and the installer continues to fail.Not sure if I am just losing my mind and doing something wrong here, but I have done these operations numerous times and this is the first time I have had issues. Any ideas?
Windows 2008 R2 SP1
Result of
gpresult /z
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001 Created On 6/18/2014 at 11:08:58 AM RSOP data for ------------------------------------------------- OS Configuration: Member Server OS Version: 6.1.7601 Site Name: Default-First-Site-Name Roaming Profile: N/A Local Profile: Connected over a slow link?: No COMPUTER SETTINGS ------------------ Last time Group Policy was applied: 6/18/2014 at 10:39:08 AM Group Policy was applied from: Group Policy slow link threshold: 500 kbps Domain Name: Domain Type: Windows 2000 Applied Group Policy Objects ----------------------------- Teddy-Base Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The computer is a part of the following security groups ------------------------------------------------------- System Mandatory Level Everyone BUILTIN\Users NT AUTHORITY\SERVICE CONSOLE LOGON NT AUTHORITY\Authenticated Users This Organization BITS CertPropSvc EapHost hkmsvc IKEEXT iphlpsvc LanmanServer MMCSS MSiSCSI RasAuto RasMan RemoteAccess Schedule SCPolicySvc SENS SessionEnv SharedAccess ShellHWDetection wercplsupport Winmgmt wuauserv LOCAL BUILTIN\Administrators Resultant Set Of Policies for Computer --------------------------------------- Software Installations ---------------------- N/A Startup Scripts --------------- GPO: DNS_Registration Name: RegisterDNS.vbs Parameters: LastExecuted: 2:39:16 PM Shutdown Scripts ---------------- N/A Account Policies ---------------- Audit Policy ------------ N/A User Rights ----------- GPO: Teddy-Base Policy: DebugPrivilege Computer Setting: domain\Teddy-Group GPO: Teddy-Base Policy: SecurityPrivilege Computer Setting: domain\Teddy-Group GPO: Teddy-Base Policy: ServiceLogonRight Computer Setting: domain\Teddy-Group GPO: Teddy-Base Policy: BackupPrivilege Computer Setting: domain\Teddy-Group Security Options ---------------- Event Log Settings ------------------ Restricted Groups ----------------- GPO: DSP Groupname: Backup Operators System Services --------------- Registry Settings ----------------- File System Settings -------------------- Public Key Policies ------------------- N/A Administrative Templates ------------------------ "I have removed these from the output" USER SETTINGS -------------- Last time Group Policy was applied: 6/18/2014 at 10:43:02 AM Group Policy was applied from: Group Policy slow link threshold: 500 kbps Domain Name: Domain Type: Windows 2000 The user is a part of the following security groups --------------------------------------------------- Domain Users Everyone BUILTIN\Users BUILTIN\Administrators NT AUTHORITY\INTERACTIVE CONSOLE LOGON NT AUTHORITY\Authenticated Users This Organization LOCAL Domain Admins Teddy-Group Denied RODC Password Replication Group High Mandatory Level The user has the following security privileges ---------------------------------------------- Restore files and directories Change the system time Shut down the system Force shutdown from a remote system Take ownership of files or other objects Modify firmware environment values Profile system performance Profile single process Increase scheduling priority Load and unload device drivers Create a pagefile Adjust memory quotas for a process Bypass traverse checking Remove computer from docking station Perform volume maintenance tasks Impersonate a client after authentication Create global objects Change the time zone Create symbolic links Enable computer and user accounts to be trusted for delegation Increase a process working set Back up files and directories Debug programs Manage auditing and security log
-
HopelessN00b almost 10 yearsHave you logged out and logged in (with the
Teddy
account) yet? Permissions assigned by a group membership are tied to your account's access token, which is created at login. -
user2104891 almost 10 years@HopelessN00b Yes, I have tirelessly done so...
-
HopelessN00b almost 10 yearsOn the machine in question (that you're trying to backup from), I assume. Run a
gpresult /z
on that machine to get more information about the Group Policy items being applied. Also, if you're trying to execute the backups remotely, say from your workstation, you will need to log off and log on again on the workstation to update that access token. -
user2104891 almost 10 years@HopelessN00b When running
gpresult /z
I can see under the headingThe user has the following Security Privileges
the privileges mentioned above are listed. I also see that each PolicySecurityPrivilege
&Backup Privlege
are listed as being applied and the computer setting lists the group I expected. -
HopelessN00b almost 10 yearsWeird. Only other thing I've got at the moment is possibly running the software elevated.
-
user2104891 almost 10 years@HopelessN00b Yeah I tried that as well :-(
-