Windows

域帳戶未從組策略中獲得適當的 Se 特權

  • August 25, 2014

我正在嘗試安裝需要SeBackupPrivilege, SeDebugPrivilege,的軟體,SeSecurityPrivilege但我似乎無法讓我的域帳戶檢索這些特定權限。

我已更改此範例的名稱,但使用者帳戶名稱是Teddy並且位於 group 中Teddy-Group。該組已通過名為 的組策略分配了權限Teddy-Base。此組策略應用於包含我嘗試安裝軟體的電腦的電腦帳戶的 OU。此組策略Teddy-Group適用於:Backup Files and Directories Debug ProgramsManaging Auditing and Security Log按照安裝程序的要求。

在機器上執行rsop.msc時,我看到策略已正確應用,但是當我執行時,whoami /priv我可以看到權限未應用並且安裝程序繼續失敗。

不確定我是否只是失去理智並在這裡做錯了什麼,但我已經多次執行這些操作,這是我第一次遇到問題。有任何想法嗎?

視窗 2008 R2 SP1

的結果gpresult /z

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001

Created On 6/18/2014 at 11:08:58 AM



RSOP data for 
-------------------------------------------------

OS Configuration:            Member Server OS Version:                
6.1.7601 Site Name:                   Default-First-Site-Name Roaming Profile:             N/A Local Profile:               Connected over a slow link?: No


COMPUTER SETTINGS
------------------
   Last time Group Policy was applied: 6/18/2014 at 10:39:08 AM
   Group Policy was applied from:      
   Group Policy slow link threshold:   500 kbps
   Domain Name:                       
   Domain Type:                        Windows 2000

   Applied Group Policy Objects
   -----------------------------
       Teddy-Base
       Default Domain Policy

   The following GPOs were not applied because they were filtered out
   -------------------------------------------------------------------
       Local Group Policy
           Filtering:  Not Applied (Empty)

   The computer is a part of the following security groups
   -------------------------------------------------------
       System Mandatory Level
       Everyone
       BUILTIN\Users
       NT AUTHORITY\SERVICE
       CONSOLE LOGON
       NT AUTHORITY\Authenticated Users
       This Organization
       BITS
       CertPropSvc
       EapHost
       hkmsvc
       IKEEXT
       iphlpsvc
       LanmanServer
       MMCSS
       MSiSCSI
       RasAuto
       RasMan
       RemoteAccess
       Schedule
       SCPolicySvc
       SENS
       SessionEnv
       SharedAccess
       ShellHWDetection
       wercplsupport
       Winmgmt
       wuauserv
       LOCAL
       BUILTIN\Administrators

   Resultant Set Of Policies for Computer
   ---------------------------------------

       Software Installations
       ----------------------
           N/A

       Startup Scripts
       ---------------
           GPO: DNS_Registration
               Name:         RegisterDNS.vbs
               Parameters:   
               LastExecuted: 2:39:16 PM

       Shutdown Scripts
       ----------------
           N/A

       Account Policies
       ----------------


       Audit Policy
       ------------
           N/A

       User Rights
       -----------

           GPO: Teddy-Base
               Policy:            DebugPrivilege
               Computer Setting:  domain\Teddy-Group

           GPO: Teddy-Base
               Policy:            SecurityPrivilege
               Computer Setting:  domain\Teddy-Group

           GPO: Teddy-Base
               Policy:            ServiceLogonRight
               Computer Setting:  domain\Teddy-Group


           GPO: Teddy-Base
               Policy:            BackupPrivilege
               Computer Setting:  domain\Teddy-Group

       Security Options
       ----------------



       Event Log Settings
       ------------------

       Restricted Groups
       -----------------
           GPO: DSP
               Groupname: Backup Operators


       System Services
       ---------------


       Registry Settings
       -----------------


       File System Settings
       --------------------


       Public Key Policies
       -------------------
           N/A

       Administrative Templates
       ------------------------
            "I have removed these from the output"


USER SETTINGS
--------------

   Last time Group Policy was applied: 6/18/2014 at 10:43:02 AM
   Group Policy was applied from:      
   Group Policy slow link threshold:   500 kbps
   Domain Name:                        
   Domain Type:                        Windows 2000



   The user is a part of the following security groups
   ---------------------------------------------------
       Domain Users
       Everyone
       BUILTIN\Users
       BUILTIN\Administrators
       NT AUTHORITY\INTERACTIVE
       CONSOLE LOGON
       NT AUTHORITY\Authenticated Users
       This Organization
       LOCAL
       Domain Admins
       Teddy-Group
       Denied RODC Password Replication Group
       High Mandatory Level

   The user has the following security privileges
   ----------------------------------------------

       Restore files and directories
       Change the system time
       Shut down the system
       Force shutdown from a remote system
       Take ownership of files or other objects
       Modify firmware environment values
       Profile system performance
       Profile single process
       Increase scheduling priority
       Load and unload device drivers
       Create a pagefile
       Adjust memory quotas for a process
       Bypass traverse checking
       Remove computer from docking station
       Perform volume maintenance tasks
       Impersonate a client after authentication
       Create global objects
       Change the time zone
       Create symbolic links
       Enable computer and user accounts to be trusted for delegation
       Increase a process working set
       Back up files and directories
       Debug programs
       Manage auditing and security log

這可能是一個已知的錯誤:

需要 SeBackupPrivilege 使用者權限的 Windows Installer 程序包在 Windows 7 或 Windows Server 2008 R2 中失敗

http://support.microsoft.com/kb/2514642

症狀

考慮以下場景:

  • 您有一台執行 Windows 7 或 Windows Server 2008 R2 的電腦。
  • 您可以使用 Windows Installer 服務安裝 Windows Installer (.msi) 程序包。
  • .msi 包中的某些客戶操作需要 SeBackUpPrivilege 使用者權限。

在這種情況下,.msi 包安裝失敗。

注意:在執行 Windows Server 2003、Windows XP、Windows Vista 或 Windows Server 2008 並安裝了 Windows Installer 4.5 的電腦上不會出現此問題。

原因

出現此問題的原因是 Windows Installer 服務 5.0 在 Windows 7 和 Windows Server 2008 R2 中沒有 SeBackupPrivilege 使用者權限。

解決方法

要解決此問題,請在提升的命令提示符處執行以下命令,為 msiserver 服務設置 SeBackupPrivilege 使用者權限的顯式權限:

sc privs msiserver SeTcbPrivilege/SeCreatePagefilePrivilege/SeLockMemoryPrivilege/SeIncreaseBasePriorityPrivilege/SeCreatePermanentPrivilege/SeAuditPrivilege/SeSecurityPrivilege/SeChangeNotifyPrivilege/SeProfileSingleProcessPrivilege/SeImpersonatePrivilege/SeCreateGlobalPrivilege/SeAssignPrimaryTokenPrivilege/SeRestorePrivilege/SeIncreaseQuotaPrivilege/SeShutdownPrivilege/SeTakeOwnershipPrivilege/SeLoadDriverPrivilege/SeBackupPrivilege

引用自:https://serverfault.com/questions/606128