我正在尝试安装需要SeBackupPrivilege , SeDebugPrivilege和SeSecurityPrivilege软件,但似乎无法让我的域帐户检索这些特定的权限。
我已经更改了这个例子的名字,但是用户帐户名是Teddy ,位于Teddy-Group 。 这个组已经通过名为Teddy-Base的组策略被分配了权限。 此组策略应用于包含我试图安装软件的计算机的计算机帐户的OU。 在此组策略中, Teddy-Group应用于: Backup Files and Directories Debug Programs以及安装程序所要求的Managing Auditing and Security Log 。
在机器上运行rsop.msc ,我看到策略已被正确应用,但是当我运行whoami /priv我可以看到没有应用权限,安装程序继续失败。
不知道我是否在这里失去了自己的想法和做错的事情,但是我做了很多次这些操作,这是我第一次遇到问题。 有任何想法吗?
Windows 2008 R2 SP1
gpresult /z结果
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001 Created On 6/18/2014 at 11:08:58 AM RSOP data for ------------------------------------------------- OS Configuration: Member Server OS Version: 6.1.7601 Site Name: Default-First-Site-Name Roaming Profile: N/A Local Profile: Connected over a slow link?: No COMPUTER SETTINGS ------------------ Last time Group Policy was applied: 6/18/2014 at 10:39:08 AM Group Policy was applied from: Group Policy slow link threshold: 500 kbps Domain Name: Domain Type: Windows 2000 Applied Group Policy Objects ----------------------------- Teddy-Base Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The computer is a part of the following security groups ------------------------------------------------------- System Mandatory Level Everyone BUILTIN\Users NT AUTHORITY\SERVICE CONSOLE LOGON NT AUTHORITY\Authenticated Users This Organization BITS CertPropSvc EapHost hkmsvc IKEEXT iphlpsvc LanmanServer MMCSS MSiSCSI RasAuto RasMan RemoteAccess Schedule SCPolicySvc SENS SessionEnv SharedAccess ShellHWDetection wercplsupport Winmgmt wuauserv LOCAL BUILTIN\Administrators Resultant Set Of Policies for Computer --------------------------------------- Software Installations ---------------------- N/A Startup Scripts --------------- GPO: DNS_Registration Name: RegisterDNS.vbs Parameters: LastExecuted: 2:39:16 PM Shutdown Scripts ---------------- N/A Account Policies ---------------- Audit Policy ------------ N/A User Rights ----------- GPO: Teddy-Base Policy: DebugPrivilege Computer Setting: domain\Teddy-Group GPO: Teddy-Base Policy: SecurityPrivilege Computer Setting: domain\Teddy-Group GPO: Teddy-Base Policy: ServiceLogonRight Computer Setting: domain\Teddy-Group GPO: Teddy-Base Policy: BackupPrivilege Computer Setting: domain\Teddy-Group Security Options ---------------- Event Log Settings ------------------ Restricted Groups ----------------- GPO: DSP Groupname: Backup Operators System Services --------------- Registry Settings ----------------- File System Settings -------------------- Public Key Policies ------------------- N/A Administrative Templates ------------------------ "I have removed these from the output" USER SETTINGS -------------- Last time Group Policy was applied: 6/18/2014 at 10:43:02 AM Group Policy was applied from: Group Policy slow link threshold: 500 kbps Domain Name: Domain Type: Windows 2000 The user is a part of the following security groups --------------------------------------------------- Domain Users Everyone BUILTIN\Users BUILTIN\Administrators NT AUTHORITY\INTERACTIVE CONSOLE LOGON NT AUTHORITY\Authenticated Users This Organization LOCAL Domain Admins Teddy-Group Denied RODC Password Replication Group High Mandatory Level The user has the following security privileges ---------------------------------------------- Restore files and directories Change the system time Shut down the system Force shutdown from a remote system Take ownership of files or other objects Modify firmware environment values Profile system performance Profile single process Increase scheduling priority Load and unload device drivers Create a pagefile Adjust memory quotas for a process Bypass traverse checking Remove computer from docking station Perform volume maintenance tasks Impersonate a client after authentication Create global objects Change the time zone Create symbolic links Enable computer and user accounts to be trusted for delegation Increase a process working set Back up files and directories Debug programs Manage auditing and security log
这可能是一个已知的错误:
需要SeBackupPrivilege用户权限的Windows Installer程序包在Windows 7或Windows Server 2008 R2中失败
http://support.microsoft.com/kb/2514642
症状
考虑以下情况:
在这种情况下.msi程序包安装失败。
注意:运行Windows Server 2003,Windows XP,Windows Vista或Windows Server 2008并且安装了Windows Installer 4.5的计算机上不会发生此问题。
原因
出现此问题的原因是Windows Installer服务5.0在Windows 7和Windows Server 2008 R2中没有SeBackupPrivilege用户权限。
解决方法
要解决此问题,请在提升的命令提示符处运行以下命令,以便为msiserver服务设置SeBackupPrivilege用户权限:
sc privs msiserver SeTcbPrivilege/SeCreatePagefilePrivilege/SeLockMemoryPrivilege/SeIncreaseBasePriorityPrivilege/SeCreatePermanentPrivilege/SeAuditPrivilege/SeSecurityPrivilege/SeChangeNotifyPrivilege/SeProfileSingleProcessPrivilege/SeImpersonatePrivilege/SeCreateGlobalPrivilege/SeAssignPrimaryTokenPrivilege/SeRestorePrivilege/SeIncreaseQuotaPrivilege/SeShutdownPrivilege/SeTakeOwnershipPrivilege/SeLoadDriverPrivilege/SeBackupPrivilege
我有相同的进程whoami /priv ,使我质疑自己的理智(最终我手动通过secpol.msc添加帐户,仍然“禁用”,这让我明白GP不是问题)。
我了解到,默认情况下,备份权限不属于具有该权限的用户的任何进程 – 进程必须使用AdjPriv进行AdjPriv 。
你尝试过吗?
如果这些样本不能获得这个特权,那就意味着什么是错误的,您应该尝试禁用GP并手动设置privillege,看看是否能解决这个问题。
TLDR :你是否试图真正运行这个软件,看看它失败了?
来源: