D
darphboubou
Hi,
We have somme issue when we try to launch some published application from a domain A with an account from domain B.
When the account is member of domain admin (Domain B) and he try to launch application a pop up appeared.
For information the application is installed on 2016 Server with no applocker setted or stuff like that.
If we check on the security event log on server (domain A) where the application is installed we find this.
%%1938 = TokenElevationTypeLimited (3)
TokenElevationTypeLimited (3): Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
if we remove the user from domain admin group we obtain this.
%%1936 = TokenElevationTypeDefault (1)
TokenElevationTypeDefault (1): Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.
To resume:
when the user (domain admin in domain B) launch the published application (domain A) the elevation seems to be forbidden
and when we removed the user from the domain admin group then the elevation works fine. And we can works with the published application.
We don't understand why, could you help us?
Regards
Continue reading...
We have somme issue when we try to launch some published application from a domain A with an account from domain B.
When the account is member of domain admin (Domain B) and he try to launch application a pop up appeared.
For information the application is installed on 2016 Server with no applocker setted or stuff like that.
If we check on the security event log on server (domain A) where the application is installed we find this.
%%1938 = TokenElevationTypeLimited (3)
TokenElevationTypeLimited (3): Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
if we remove the user from domain admin group we obtain this.
%%1936 = TokenElevationTypeDefault (1)
TokenElevationTypeDefault (1): Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.
To resume:
when the user (domain admin in domain B) launch the published application (domain A) the elevation seems to be forbidden
and when we removed the user from the domain admin group then the elevation works fine. And we can works with the published application.
We don't understand why, could you help us?
Regards
Continue reading...