Do Large Pages / Lock Pages in Memory Rights require elevated permissions?

Alex Gallegos 1 Reputation point
2021-09-03T13:48:54.02+00:00

I'm working with a vendor running their software on a physical Server 2016 machine, and the software is not performing to spec. It's a data processing application that does a large number of reads and writes per second. The vendor asked us to enable LPIM for the account that runs the software, which we did. If we simply launch the program, the console opens with an error that the expected memory is not available. If we run the program As Administrator, there is no such error. In production, this is not the program that end users will run. They run the "Enterprise Data" module which then calls the processing module, and when it does so, it will simply launch the application, without using elevated permissions.

The vendor is insisting that this is my problem to solve and I need to open a ticket with Microsoft because my server must be configured incorrectly. On the other hand, I can find mention on StackExchange and in the documentation for some other software online that says that programs must be launched with elevated permissions in order to take advantage of LPIM permissions to make Large Pages. But what I cannot find is anywhere that information is officially documented that I can give back to the vendor, and say, "No, this will never work unless you run the program as administrator, your workflow cannot function as designed." For example, it is suspiciously absent from the page about enabling LPIM for SQL Server, which seems to be the most common application.

Does anyone have any info?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,927 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Michael Taylor 45,986 Reputation points
    2021-09-03T15:39:36.487+00:00

    While I have no specific experience with this right it should behave the same as every other right. Rights are configured on a user/group level. To allow a particular user or group to have this right you'll use MMC and go to the Group Policy Editor (gpedit). If you're in a domain environment this should be done at the domain level and not per-machine. You mentioned you already did this so if you granted the user running the app this right then any process they start will have the same right. Admin privileges shouldn't be needed for this specific right. Note that rights are going to be cached when the process starts so if this stuff is running as a service you'll need to bounce the service.

    Now it is possible that they are also requiring other rights that you need to grant. Enabling audit failures and looking at the security log should help diagnose this. It is also possible that the issue is unrelated to this setting altogether. For example if they are trying to share memory between processes then both processes would need access which has nothing to do with this right.

    0 comments No comments

  2. Limitless Technology 39,296 Reputation points
    2021-09-03T18:48:49.917+00:00

    Hello @Alex Gallegos

    In my experience its always advisable to give LPIM permission to SQL service account as I might degrade SQL performance.

    Please have a look on below Microsoft article.

    https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/server-memory-server-configuration-options?view=sql-server-ver15#lock-pages-in-memory-lpim