You should also note that almost any action that you thing of as being 'administrators only’ can be delegated to any security principle. That is the whole point of using an ACL instead of checking for a specific group. (like builtin\administrators)
Windows has convenient ready to go functions to create and check ACLs and usually you only need to specify which one you want and Windows does the rest
Sent from Surface Pro
From: Scott Noone
Sent: Tuesday, March 17, 2015 9:13 AM
To: Windows System Software Devs Interest List
Individual privileges can be assigned to any user, there is no privilege
that says “this is an admin”. That’s what the SIDs in the Token are for,
they indicate the user and member groups of the process’ creator. As Max
noted, SeTokenIsAdmin tells you if the Token contains the SID for the local
administrators group. You could also roll your own equivalent (or
additional) functionality by calling SeQueryInformationToken.
-scott
OSR
@OSRDrivers
wrote in message news:xxxxx@ntdev…
And if I want to use SeSinglePrivilegeCheck function is there any privilege
to determine whether it’s admin process or not? Or maybe I have to use e.g.
SE_TAKE_OWNERSHIP_PRIVILEGE?
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer