Domain Account Does Not Receive Proper Se Privledges from Group Policies

windows windows-server-2008 windows-server-2008-r2 group-policy permissions
6,187

Solution 1

This may be a known bug:

Windows Installer package that requires the SeBackupPrivilege user right fails in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2514642

Symptom

Consider the following scenario:

  • You have a computer that is running Windows 7 or Windows Server 2008 R2.
  • You install a Windows Installer (.msi) package by using the Windows Installer service.
  • Some customer actions in the .msi package require the SeBackUpPrivilege user right.

In this scenario, the .msi package installation fails.

Note: This issue does not occur on a computer that is running Windows Server 2003, Windows XP, Windows Vista, or Windows Server 2008 and that has Windows Installer 4.5 installed.

Cause

This issue occurs because the Windows Installer service 5.0 does not have the SeBackupPrivilege user right in Windows 7 and in Windows Server 2008 R2.

Workaround

To work around this issue, run the following command at an elevated command prompt to set explicit permissions of the SeBackupPrivilege user right for the msiserver service: 

sc privs msiserver SeTcbPrivilege/SeCreatePagefilePrivilege/SeLockMemoryPrivilege/SeIncreaseBasePriorityPrivilege/SeCreatePermanentPrivilege/SeAuditPrivilege/SeSecurityPrivilege/SeChangeNotifyPrivilege/SeProfileSingleProcessPrivilege/SeImpersonatePrivilege/SeCreateGlobalPrivilege/SeAssignPrimaryTokenPrivilege/SeRestorePrivilege/SeIncreaseQuotaPrivilege/SeShutdownPrivilege/SeTakeOwnershipPrivilege/SeLoadDriverPrivilege/SeBackupPrivilege

Solution 2

I had the same process whoami /priv, causing me to question my own sanity (eventually I manually added the account via secpol.msc and still got "disabled", which made me understand GP isn't the issue).
I learnt that backup privileges aren't given by default to any process belonging to a user that has that privilege - processes have to ask for it using AdjPriv.
Did you try running:

If these samples can't get that privilege, it means something is wrong, and you should try disabling the GP and setting the privillege manually, to see if that solves it.
TLDR: Did you try to actually run the software and see it fail?

` Sources:

Share:
6,187

Related videos on Youtube

user2104891
Author by

user2104891

Updated on September 18, 2022

Comments

  • user2104891
    user2104891 over 1 year

    I am attempting to install software that requires SeBackupPrivilege, SeDebugPrivilege, and SeSecurityPrivilegebut I cannot seem to get my Domain Account to retrieve these specific privileges.

    I have changed the names for this example, but the user accounts name is Teddy and is located in group Teddy-Group. This group has been assigned privileges via a group policy called Teddy-Base. This group policy is applied to an OU which contains the computer account for the machine in which I am attempting to install the software. Within this group policy Teddy-Group is applied to: Backup Files and Directories Debug Programs and Managing Auditing and Security Log as requested by the installer.

    Upon running rsop.msc on the machine, I see the policy has been correctly applied, yet when I run whoami /priv I can see the privileges are not applied and the installer continues to fail.

    Not sure if I am just losing my mind and doing something wrong here, but I have done these operations numerous times and this is the first time I have had issues. Any ideas?

    Windows 2008 R2 SP1

    Result of gpresult /z

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001

Created On 6/18/2014 at 11:08:58 AM



RSOP data for 
-------------------------------------------------

OS Configuration:            Member Server OS Version:                
6.1.7601 Site Name:                   Default-First-Site-Name Roaming Profile:             N/A Local Profile:               Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    Last time Group Policy was applied: 6/18/2014 at 10:39:08 AM
    Group Policy was applied from:      
    Group Policy slow link threshold:   500 kbps
    Domain Name:                       
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Teddy-Base
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        System Mandatory Level
        Everyone
        BUILTIN\Users
        NT AUTHORITY\SERVICE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        BITS
        CertPropSvc
        EapHost
        hkmsvc
        IKEEXT
        iphlpsvc
        LanmanServer
        MMCSS
        MSiSCSI
        RasAuto
        RasMan
        RemoteAccess
        Schedule
        SCPolicySvc
        SENS
        SessionEnv
        SharedAccess
        ShellHWDetection
        wercplsupport
        Winmgmt
        wuauserv
        LOCAL
        BUILTIN\Administrators

    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            GPO: DNS_Registration
                Name:         RegisterDNS.vbs
                Parameters:   
                LastExecuted: 2:39:16 PM

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------


        Audit Policy
        ------------
            N/A

        User Rights
        -----------

            GPO: Teddy-Base
                Policy:            DebugPrivilege
                Computer Setting:  domain\Teddy-Group

            GPO: Teddy-Base
                Policy:            SecurityPrivilege
                Computer Setting:  domain\Teddy-Group

            GPO: Teddy-Base
                Policy:            ServiceLogonRight
                Computer Setting:  domain\Teddy-Group


            GPO: Teddy-Base
                Policy:            BackupPrivilege
                Computer Setting:  domain\Teddy-Group

        Security Options
        ----------------



        Event Log Settings
        ------------------

        Restricted Groups
        -----------------
            GPO: DSP
                Groupname: Backup Operators


        System Services
        ---------------


        Registry Settings
        -----------------


        File System Settings
        --------------------


        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
             "I have removed these from the output"


USER SETTINGS
--------------

    Last time Group Policy was applied: 6/18/2014 at 10:43:02 AM
    Group Policy was applied from:      
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        
    Domain Type:                        Windows 2000



    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        BUILTIN\Administrators
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Domain Admins
        Teddy-Group
        Denied RODC Password Replication Group
        High Mandatory Level

    The user has the following security privileges
    ----------------------------------------------

        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Bypass traverse checking
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Change the time zone
        Create symbolic links
        Enable computer and user accounts to be trusted for delegation
        Increase a process working set
        Back up files and directories
        Debug programs
        Manage auditing and security log
    • HopelessN00b
      HopelessN00b almost 10 years
      Have you logged out and logged in (with the Teddy account) yet? Permissions assigned by a group membership are tied to your account's access token, which is created at login.
    • user2104891
      user2104891 almost 10 years
      @HopelessN00b Yes, I have tirelessly done so...
    • HopelessN00b
      HopelessN00b almost 10 years
      On the machine in question (that you're trying to backup from), I assume. Run a gpresult /z on that machine to get more information about the Group Policy items being applied. Also, if you're trying to execute the backups remotely, say from your workstation, you will need to log off and log on again on the workstation to update that access token.
    • user2104891
      user2104891 almost 10 years
      @HopelessN00b When running gpresult /z I can see under the heading The user has the following Security Privileges the privileges mentioned above are listed. I also see that each Policy SecurityPrivilege & Backup Privlege are listed as being applied and the computer setting lists the group I expected.
    • HopelessN00b
      HopelessN00b almost 10 years
      Weird. Only other thing I've got at the moment is possibly running the software elevated.
    • user2104891
      user2104891 almost 10 years
      @HopelessN00b Yeah I tried that as well :-(

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Stop sync windows 2008 r2 clock
Configuring group policy to bypass proxy server for local addresses and adding a domain to trusted root certificate authorities
Teamviewer multi-user mode
Full permissions on folder when remoted in, but read only through the network
Remote Desktop Services: start a program on connection within desktop environment
Getting "System error 1067" when installing OpenSSH
What local group should user belong to be able to run windows task as that user
Group Policy Editor restricting my administrator account?
Windows Server 2008 R2 - How to copy a scheduled task
Server restarted while rebuilding array, what to do?