Share via

Question on privileges in PS

Mikhail Firsov 1,876 Reputation points
2021-07-02T13:43:36.29+00:00

Hello,

As you already may know, if some operation is performed under administrative account but without elevated privileges - for example, starting PS console NOT As administrator - this operation will be using the non-administrative token, thus "downgrading" administrator privileges to the privileges of an ordinary user. It means that such administrator is in fact just a user (in terms of privileges and permissions) and there should not be - at least I have no grounds to think differently - any difference between such administrative account and plain user account.
Nevertheless, when I issue the following command as an administrator without administrative token the command completes successfully:
111366-q1.png

...but when I run it under user account it returns nothing, but the error under the hood is Access Denied:
111399-q2.png

Q1: Am I correct thinking the administrative accounts without elevated tokens must have the same level of privileges as that of the odinary users?

Q2: If Q1 = yes ... why does the command above work differently?

Thank you in advance,
Michael

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,635 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,462 questions
0 comments
Accepted answer
  1. Rich Matheisen 45,906 Reputation points
    2021-07-12T15:12:08.25+00:00

    Well, first you'd have to separate the "permission" from the "privilege". You'd also have to take into account that the "administrator" account has a unique SID (S-1-5-21-domain-500) -- that can have an effect on what the account is capable of doing (privilege) and what it is allowed to access (permission).

    "Access Denied" is related to "permission" and, so, to group membership. The accounts (except for that "well-known SID") should be no different.

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rich Matheisen 45,906 Reputation points
    2021-07-02T15:28:00.97+00:00
    0 comments
  2. Mikhail Firsov 1,876 Reputation points
    2021-07-12T14:42:23.89+00:00

    Sorry for the delay...

    Thank you for the interesting question/explanation but it's a bit different... my question was about if there should be any difference between an administrative account which had not requested administrative privileges and an account that never had such privileges at all...

    0 comments
  3. Mikhail Firsov 1,876 Reputation points
    2021-07-13T09:53:50.177+00:00

    " "administrator" account has a unique SID (S-1-5-21-domain-500) " - oh, you're right - forgot that I was conducting my tests under the built-in Administrator account which always runs with the elevated token...

    Thank you for the help!

    Regards,
    Michael

    0 comments