5

Given:

  • A VM running Windows 2008
  • I am logged on there using my domain account (SHUNRANET\markk)
  • I have added the "Create global objects" privilege to my domain account:
  • The VM is restarted (I know logout/logon is enough, but I had to restart)
  • I logon again using the same domain account. It seems still to have the privilege: enter image description here
  • I run some process and examine its Security properties using the Process Explorer. The account does not seem to have the privilege: enter image description here

This is not an idle curiousity. I have a real problem, that without this privilege the named pipe WCF binding works neither on Windows 2008 nor on Windows 7! Here is an interesting discussion on this matter - http://social.msdn.microsoft.com/forums/en-US/wcf/thread/b71cfd4d-3e7f-4d76-9561-1e6070414620.

Does anyone know how to make this work? Thanks.

EDIT

BTW, when I run the process elevated, everything is fine and the process explorer does display the privilege as expected:

enter image description here

But I do not want to run it elevated.

EDIT2

I equally welcome any solution. Be it configuration only or mixed with code.

EDIT3

I have posted the same question on MSDN forums and they have redirected me to this page - http://support.microsoft.com/default.aspx?scid=kb;EN-US;132958. I am yet to determine the relevance of it, but it looks promising.

Notice also that it is a completely coding solution that they propose, so whoever moved this post to the ServerFault - please reinstate it back in the StackOverflow.

mark
  • 691
  • 2
  • 14
  • 31
  • Please explain why the question should be closed. The solution can be programmatic, which fits perfectly with this site. – mark May 18 '11 at 08:30
  • I am sorry. I didn't get the impression the solution should be programmatic. I only saw the screenshots and thought it's a server configuration issue. But for someone who is into Windows security, it's probably obvious you ask about a programmatic solution, isn't it? – GrzegorzOledzki May 18 '11 at 08:32
  • @Ladislav - then by all means mark it as the answer :-). – mark May 18 '11 at 08:47
  • @Grzegorz - I am looking for all solutions. Both configuration and programmatic. And because a programmatic solution is very likely this question belongs here. Of course, configuration only solution is most welcome as well. – mark May 18 '11 at 08:49
  • You have to run elevated in order to enable certain privileges; there is no way around this. –  May 18 '11 at 11:41
  • This is not true. The NETWORK SERVICE account has this privilege enabled. Yet it never runs elevated. – mark May 18 '11 at 12:21
  • If you included some code, library references, or API references, it would make your question less likly to be flagged or down-voted. Lack of any programming references makes users view it as not programming. – this.josh May 18 '11 at 19:46
  • Accounts like NETWORK SERVICE get special treatment from the operating system. In the general case a normal (non-elevated) user account is never going to have those privileges present in its token. – Luke May 19 '11 at 21:52
  • Please make sure that you are member of domain admin group – Gaurav Singh May 24 '11 at 08:22
  • Please, explain why. – mark May 24 '11 at 08:30
  • 1
    @mark "Yet it never runs elevated." this is not true. NETWORK SERVICE does run elevated. that's the point of that account: it lets you run services on the local machine that require elevated rights and be a network server. – longneck Sep 14 '12 at 18:31

2 Answers2

1

If your NamedPipe WCF Service needs to be hosted in the Global objects to communicate between sessions I'd build it as a separate Windows Service and let the your other applications communicate with each other through the new Windows Service that will be hosting your NamedPipe WCF Service.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
richsor
  • 11
  • 1
0

It because of a feature called UAC. Why don't you just turn it off? Then you won't need to run these tasks elevated, your account will just have this security permissions when you run the program normally.

See here for an article I found about UAC and problems it can have with certain programs. It is specifically ansering a problem about Explorer but the principle still applies and it explains how UAC works and possible work arounds. http://think-like-a-computer.com/2011/05/11/uac-access-denied-on-folders-for-administrators-windows-2008/

Mucker
  • 345
  • 2
  • 9