Either way, the user ends up with Administrator privileges on the Terminal Server, and the underlying problem is a badly coded app.
The idea of separating out the GUI components, which then talks to a privileged service running in a separate window station is probably the way to go, or using Process Monitor to see if ACLs can be tweaked to get the app to function. Cheers Ken From: Eisenberg, Wayne [mailto:[EMAIL PROTECTED] Sent: Friday, 8 August 2008 1:45 PM To: NT System Admin Issues Subject: RE: Access token update The way to have dynamic token updates is to use eDirectory. (waiting for slaps from other forum members...). But seriously, this is the way MS decided to implement their security model. Group memberships and SIDs are only evaluated at logon time. AFAIK, it will not work any other way. The other directory service was designed with dynamic resolution in mind and is much more efficient that way. But I'm afraid we're stuck with this issue in an AD.world. Some interesting workaround attempts have been suggested, but the underlying architecture is what it is. ________________________________ From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 11:55 AM To: NT System Admin Issues Subject: Re: Access token update You appear to be right, just tried it and no joy. This is a real pain in the backside for me and is going to be one of those ways that end-users end up with administrative rights - in this case, not on their local machines, but on a terminal server. Unfortunately I can't see any way around it other than writing some sort of custom "admin wrapper" that lets a program execute like RunAs but without allowing any access to the password. If anyone else has any ideas or tips I'd be glad to hear them :-) 2008/8/7 Krishna Reddy <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> I don't think so. I believe that local groups are evaluated at login. Thanks, Krishna Reddy IT Manager Nucomm, Inc. ________________________________ From: James Rankin [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] Sent: Thursday, August 07, 2008 9:44 AM To: NT System Admin Issues Subject: Re: Access token update Thought about that, but they would have to have access to the admin password, which makes it kind of a non-starter Having said that, if a user is already a member of a group, if they are logged in, and you add their existing group to local Administrators, will they pick up admin rights without logging off? 2008/8/7 Ken Schaefer <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> Runas? Cheers Ken From: James Rankin [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] Sent: Thursday, 7 August 2008 8:58 PM To: NT System Admin Issues Subject: Access token update Is there any way to update a Windows user's access token without logging off? I have some really ancient export function that seems to require administrator rights to run successfully, but my users will receive a different desktop (i.e. without any of their applications) if they have to log out and back in when they are given elevated rights. My research seems to indicate that the answer to this is a resounding no, but I am hoping someone knows something I don't :-) TIA, JRR The information contained in this email and attachments to this email are the proprietary and confidential property of Nucomm, Inc. The information is provided in strict confidence and shall not be reproduced, copied, or used (partially or wholly) in any manner without prior, express written authorization of Nucomm, Inc. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
