Windows
域帳戶未從組策略中獲得適當的 Se 特權
我正在嘗試安裝需要
SeBackupPrivilege,SeDebugPrivilege,的軟體,SeSecurityPrivilege但我似乎無法讓我的域帳戶檢索這些特定權限。我已更改此範例的名稱,但使用者帳戶名稱是
Teddy並且位於 group 中Teddy-Group。該組已通過名為 的組策略分配了權限Teddy-Base。此組策略應用於包含我嘗試安裝軟體的電腦的電腦帳戶的 OU。此組策略Teddy-Group適用於:Backup Files and DirectoriesDebug Programs並Managing Auditing and Security Log按照安裝程序的要求。在機器上執行
rsop.msc時,我看到策略已正確應用,但是當我執行時,whoami /priv我可以看到權限未應用並且安裝程序繼續失敗。不確定我是否只是失去理智並在這裡做錯了什麼,但我已經多次執行這些操作,這是我第一次遇到問題。有任何想法嗎?
視窗 2008 R2 SP1
的結果
gpresult /zMicrosoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001 Created On 6/18/2014 at 11:08:58 AM RSOP data for ------------------------------------------------- OS Configuration: Member Server OS Version: 6.1.7601 Site Name: Default-First-Site-Name Roaming Profile: N/A Local Profile: Connected over a slow link?: No COMPUTER SETTINGS ------------------ Last time Group Policy was applied: 6/18/2014 at 10:39:08 AM Group Policy was applied from: Group Policy slow link threshold: 500 kbps Domain Name: Domain Type: Windows 2000 Applied Group Policy Objects ----------------------------- Teddy-Base Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The computer is a part of the following security groups ------------------------------------------------------- System Mandatory Level Everyone BUILTIN\Users NT AUTHORITY\SERVICE CONSOLE LOGON NT AUTHORITY\Authenticated Users This Organization BITS CertPropSvc EapHost hkmsvc IKEEXT iphlpsvc LanmanServer MMCSS MSiSCSI RasAuto RasMan RemoteAccess Schedule SCPolicySvc SENS SessionEnv SharedAccess ShellHWDetection wercplsupport Winmgmt wuauserv LOCAL BUILTIN\Administrators Resultant Set Of Policies for Computer --------------------------------------- Software Installations ---------------------- N/A Startup Scripts --------------- GPO: DNS_Registration Name: RegisterDNS.vbs Parameters: LastExecuted: 2:39:16 PM Shutdown Scripts ---------------- N/A Account Policies ---------------- Audit Policy ------------ N/A User Rights ----------- GPO: Teddy-Base Policy: DebugPrivilege Computer Setting: domain\Teddy-Group GPO: Teddy-Base Policy: SecurityPrivilege Computer Setting: domain\Teddy-Group GPO: Teddy-Base Policy: ServiceLogonRight Computer Setting: domain\Teddy-Group GPO: Teddy-Base Policy: BackupPrivilege Computer Setting: domain\Teddy-Group Security Options ---------------- Event Log Settings ------------------ Restricted Groups ----------------- GPO: DSP Groupname: Backup Operators System Services --------------- Registry Settings ----------------- File System Settings -------------------- Public Key Policies ------------------- N/A Administrative Templates ------------------------ "I have removed these from the output" USER SETTINGS -------------- Last time Group Policy was applied: 6/18/2014 at 10:43:02 AM Group Policy was applied from: Group Policy slow link threshold: 500 kbps Domain Name: Domain Type: Windows 2000 The user is a part of the following security groups --------------------------------------------------- Domain Users Everyone BUILTIN\Users BUILTIN\Administrators NT AUTHORITY\INTERACTIVE CONSOLE LOGON NT AUTHORITY\Authenticated Users This Organization LOCAL Domain Admins Teddy-Group Denied RODC Password Replication Group High Mandatory Level The user has the following security privileges ---------------------------------------------- Restore files and directories Change the system time Shut down the system Force shutdown from a remote system Take ownership of files or other objects Modify firmware environment values Profile system performance Profile single process Increase scheduling priority Load and unload device drivers Create a pagefile Adjust memory quotas for a process Bypass traverse checking Remove computer from docking station Perform volume maintenance tasks Impersonate a client after authentication Create global objects Change the time zone Create symbolic links Enable computer and user accounts to be trusted for delegation Increase a process working set Back up files and directories Debug programs Manage auditing and security log
這可能是一個已知的錯誤:
需要 SeBackupPrivilege 使用者權限的 Windows Installer 程序包在 Windows 7 或 Windows Server 2008 R2 中失敗
http://support.microsoft.com/kb/2514642
症狀
考慮以下場景:
- 您有一台執行 Windows 7 或 Windows Server 2008 R2 的電腦。
- 您可以使用 Windows Installer 服務安裝 Windows Installer (.msi) 程序包。
- .msi 包中的某些客戶操作需要 SeBackUpPrivilege 使用者權限。
在這種情況下,.msi 包安裝失敗。
注意:在執行 Windows Server 2003、Windows XP、Windows Vista 或 Windows Server 2008 並安裝了 Windows Installer 4.5 的電腦上不會出現此問題。
原因
出現此問題的原因是 Windows Installer 服務 5.0 在 Windows 7 和 Windows Server 2008 R2 中沒有 SeBackupPrivilege 使用者權限。
解決方法
要解決此問題,請在提升的命令提示符處執行以下命令,為 msiserver 服務設置 SeBackupPrivilege 使用者權限的顯式權限:
sc privs msiserver SeTcbPrivilege/SeCreatePagefilePrivilege/SeLockMemoryPrivilege/SeIncreaseBasePriorityPrivilege/SeCreatePermanentPrivilege/SeAuditPrivilege/SeSecurityPrivilege/SeChangeNotifyPrivilege/SeProfileSingleProcessPrivilege/SeImpersonatePrivilege/SeCreateGlobalPrivilege/SeAssignPrimaryTokenPrivilege/SeRestorePrivilege/SeIncreaseQuotaPrivilege/SeShutdownPrivilege/SeTakeOwnershipPrivilege/SeLoadDriverPrivilege/SeBackupPrivilege