我正在尝试安装需要SeBackupPrivilege、SeDebugPrivilege和的软件SeSecurityPrivilege,但似乎无法让我的域帐户检索这些特定权限。
我已经更改了此示例的名称,但用户帐户名称为Teddy,位于 组中Teddy-Group。此组已通过名为 的组策略分配了权限Teddy-Base。此组策略应用于包含我尝试安装软件的计算机帐户的 OU。在此组内,策略Teddy-Group应用于:Backup Files and Directories Debug Programs和 ,Managing Auditing and Security Log如安装程序所请求的。
在机器上运行时rsop.msc,我看到策略已正确应用,但运行时whoami /priv我可以看到权限未应用,并且安装程序继续失败。
不确定我是不是疯了,做错了什么,但我已经多次进行过这些操作,这是我第一次遇到问题。有什么想法吗?
Windows 2008 R2 SP1
的结果gpresult /z
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001
Created On 6/18/2014 at 11:08:58 AM
RSOP data for
-------------------------------------------------
OS Configuration: Member Server OS Version:
6.1.7601 Site Name: Default-First-Site-Name Roaming Profile: N/A Local Profile: Connected over a slow link?: No
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 6/18/2014 at 10:39:08 AM
Group Policy was applied from:
Group Policy slow link threshold: 500 kbps
Domain Name:
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Teddy-Base
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
System Mandatory Level
Everyone
BUILTIN\Users
NT AUTHORITY\SERVICE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
BITS
CertPropSvc
EapHost
hkmsvc
IKEEXT
iphlpsvc
LanmanServer
MMCSS
MSiSCSI
RasAuto
RasMan
RemoteAccess
Schedule
SCPolicySvc
SENS
SessionEnv
SharedAccess
ShellHWDetection
wercplsupport
Winmgmt
wuauserv
LOCAL
BUILTIN\Administrators
Resultant Set Of Policies for Computer
---------------------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
GPO: DNS_Registration
Name: RegisterDNS.vbs
Parameters:
LastExecuted: 2:39:16 PM
Shutdown Scripts
----------------
N/A
Account Policies
----------------
Audit Policy
------------
N/A
User Rights
-----------
GPO: Teddy-Base
Policy: DebugPrivilege
Computer Setting: domain\Teddy-Group
GPO: Teddy-Base
Policy: SecurityPrivilege
Computer Setting: domain\Teddy-Group
GPO: Teddy-Base
Policy: ServiceLogonRight
Computer Setting: domain\Teddy-Group
GPO: Teddy-Base
Policy: BackupPrivilege
Computer Setting: domain\Teddy-Group
Security Options
----------------
Event Log Settings
------------------
Restricted Groups
-----------------
GPO: DSP
Groupname: Backup Operators
System Services
---------------
Registry Settings
-----------------
File System Settings
--------------------
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
"I have removed these from the output"
USER SETTINGS
--------------
Last time Group Policy was applied: 6/18/2014 at 10:43:02 AM
Group Policy was applied from:
Group Policy slow link threshold: 500 kbps
Domain Name:
Domain Type: Windows 2000
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Domain Admins
Teddy-Group
Denied RODC Password Replication Group
High Mandatory Level
The user has the following security privileges
----------------------------------------------
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Bypass traverse checking
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Enable computer and user accounts to be trusted for delegation
Increase a process working set
Back up files and directories
Debug programs
Manage auditing and security log
答案1
这可能是一个已知的错误:
需要 SeBackupPrivilege 用户权限的 Windows 安装程序包在 Windows 7 或 Windows Server 2008 R2 中失败
http://support.microsoft.com/kb/2514642
症状
请考虑以下情形:
- 您有一台运行 Windows 7 或 Windows Server 2008 R2 的计算机。
- 使用 Windows Installer 服务安装 Windows Installer (.msi) 包。
- .msi 包中的某些客户操作需要 SeBackUpPrivilege 用户权限。
在这种情况下,.msi 包安装失败。
注意:运行 Windows Server 2003、Windows XP、Windows Vista 或 Windows Server 2008 且安装了 Windows Installer 4.5 的计算机上不会出现此问题。
原因
出现此问题的原因是,Windows Installer 服务 5.0 在 Windows 7 和 Windows Server 2008 R2 中没有 SeBackupPrivilege 用户权限。
解决方法
要解决此问题,请在提升的命令提示符下运行以下命令,为 msiserver 服务设置 SeBackupPrivilege 用户权限的明确权限:
sc privs msiserver SeTcbPrivilege/SeCreatePagefilePrivilege/SeLockMemoryPrivilege/SeIncreaseBasePriorityPrivilege/SeCreatePermanentPrivilege/SeAuditPrivilege/SeSecurityPrivilege/SeChangeNotifyPrivilege/SeProfileSingleProcessPrivilege/SeImpersonatePrivilege/SeCreateGlobalPrivilege/SeAssignPrimaryTokenPrivilege/SeRestorePrivilege/SeIncreaseQuotaPrivilege/SeShutdownPrivilege/SeTakeOwnershipPrivilege/SeLoadDriverPrivilege/SeBackupPrivilege
答案2
我有相同的进程whoami /priv,这让我怀疑自己的理智(最终我通过 secpol.msc 手动添加了帐户,但仍然被“禁用”,这让我明白 GP 不是问题所在)。
我了解到,默认情况下不会向具有该权限的用户的任何进程授予备份权限 - 进程必须使用 来请求它AdjPriv。
您是否尝试运行:
如果这些样本无法获得该权限,则意味着出现了问题,您应该尝试禁用 GP 并手动设置权限,看看是否能解决问题。
结论:您是否尝试过实际运行该软件并发现它失败了?
` 资料来源: