Two (separate) Windows Server 2008 Enterprise Terminal Servers. Regular (domain) users run in the expected medium integrity level on one, but high on the other. The local group membership is identical.
What, other than local group membership, can cause a regular user account to run in the "high mandagory level" instead of the "medium mandatory level"? Local policies? UAC settings? (Looking at the Control Panel, UAC is turned off on both)
This is whoami /groups taken from the server with the unexpected behaviour. As you can see, the user is not a member of any groups considered high privilege, yet the integrity level is: High Mandatory Level
Domain groups filtered to protect the innocent.
GROUP INFORMATION
-----------------
Group Name Type
SID
Attributes
======================================= ================ =======================
======================= ========================================================
=======
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555
Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288
Mandatory group, Enabled by default, Enabled group, Local Group
How does a seemingly regular user account end up with "Mandatory Label\High Mandatory Level"?
whoami /groups taken from the server with the expected behaviour:
GROUP INFORMATION
-----------------
Group Name Type
SID
Attributes
======================================= ================ =======================
======================= ========================================================
=======
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Unknown SID type S-1-16-8192
Mandatory group, Enabled by default, Enabled group, Local Group
The only difference is the order BUILTIN\Remote Desktop Users and BUILTIN\Users is listed in.
Andreas Hultgren
MCTS, MCITP
http://ahultgren.blogspot.com/