0
I'm looking for a nuts and bolts answer to this, so if that means digging in to SDDL (or whatever...I want to SEE the "token"), I'm ok with that.
UAC policy settings have two consent behavior options:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode User Account Control: Behavior of the elevation prompt for standard users
How can I tell (while logged in as the user) if a user account is currently assigned an admin token so that it is not considered a standard user account or if it's an admin not in admin approval mode?
I did find the whoami /all command, but I don't think this is helping. Unless, I can use the SeImpersonatePrivilege to tell me this. I'm not sure if having this privilege is related to being an admin in admin approval mode or not. I did see this when running the command under a command prompt that was executed as administrator and using a domain account with local admin rights. The same account does not have this privilege when launching a command window only as that user. – lightwing – 2017-01-11T15:30:24.033
Just verify which usergroup they are in. – Ramhound – 2017-01-11T15:47:48.157
But that doesn't tell me if it currently has the full administrator token in the case where the account is an admin and UAC is on. I think I just found my answer though... https://blogs.msdn.microsoft.com/sqlupdates/2015/05/20/understanding-user-account-control-uac-a-brief-summary/
– lightwing – 2017-01-11T16:13:01.577@lightwing It'd be nice to see your answer posted here. – Clijsters – 2017-01-11T18:44:32.847
@Clijsters soon as I have one. There's some stuff I found about certain security event log entries, but I can't find them on my devices (eventid 4688 and 4689), despite clearly entering my creds to gain the elevated token. The link I shared above, I tweaked the powershell script to get it to work, but it's not returning any data. I think the answer does lie somewhere within the event log, just haven't found it yet. – lightwing – 2017-01-11T19:25:51.967
Tested it with
Get-EventLog -LogName Security | Where-Object InstanceId -EQ 4688
and it returned events. Keep in mind thatMessage
ist language dependend. eg. It would never work on my german machine... – Clijsters – 2017-01-12T11:02:53.437Good point. I discovered last night that you have to have Audit process tracking enabled (which we apparently don't), or you'll never see any 4688 or 4689 events. locally: secpol.msc security settings -> local policies -> audit policy -> Audit Process Tracking – lightwing – 2017-01-12T12:40:59.140