Question on privileges in PS

Mikhail Firsov 1,876 Reputation points
2021-07-02T13:43:36.29+00:00

Hello,

As you already may know, if some operation is performed under administrative account but without elevated privileges - for example, starting PS console NOT As administrator - this operation will be using the non-administrative token, thus "downgrading" administrator privileges to the privileges of an ordinary user. It means that such administrator is in fact just a user (in terms of privileges and permissions) and there should not be - at least I have no grounds to think differently - any difference between such administrative account and plain user account.
Nevertheless, when I issue the following command as an administrator without administrative token the command completes successfully:
111366-q1.png

...but when I run it under user account it returns nothing, but the error under the hood is Access Denied:
111399-q2.png

Q1: Am I correct thinking the administrative accounts without elevated tokens must have the same level of privileges as that of the odinary users?

Q2: If Q1 = yes ... why does the command above work differently?

Thank you in advance,
Michael

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,039 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,344 questions
0 comments No comments
{count} votes

Accepted answer
  1. Rich Matheisen 44,541 Reputation points
    2021-07-12T15:12:08.25+00:00

    Well, first you'd have to separate the "permission" from the "privilege". You'd also have to take into account that the "administrator" account has a unique SID (S-1-5-21-domain-500) -- that can have an effect on what the account is capable of doing (privilege) and what it is allowed to access (permission).

    "Access Denied" is related to "permission" and, so, to group membership. The accounts (except for that "well-known SID") should be no different.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Rich Matheisen 44,541 Reputation points
    2021-07-02T15:28:00.97+00:00
    0 comments No comments

  2. Mikhail Firsov 1,876 Reputation points
    2021-07-12T14:42:23.89+00:00

    Sorry for the delay...

    Thank you for the interesting question/explanation but it's a bit different... my question was about if there should be any difference between an administrative account which had not requested administrative privileges and an account that never had such privileges at all...

    0 comments No comments

  3. Mikhail Firsov 1,876 Reputation points
    2021-07-13T09:53:50.177+00:00

    " "administrator" account has a unique SID (S-1-5-21-domain-500) " - oh, you're right - forgot that I was conducting my tests under the built-in Administrator account which always runs with the elevated token...

    Thank you for the help!

    Regards,
    Michael

    0 comments No comments