| There's a nice PowerShell module that does all the heavy lifting with privilege assignment at https://gallery.technet.microsoft.com/scriptcenter/Grant-Revoke-Query-user-26e259b0 Through the process of elimination, I was able to determine the single token privilege necessary to "trick" our code - namely SeImpersonatePrivilege
# create the user |
net user testadmin Admin123 /add |
# grant the impersonation privilege |
Grant-UserRight -Account testadmin -Right SeImpersonatePrivilege |
|
# verify user rights - should return only the SeImpersonatePrivilege |
Get-UserRightsGrantedToAccount testadmin |
|
# use psexec to launch a cmd process and navigate to a directory with Puppet installed, for instance C:\source\puppetlabs-scheduled_task> |
# run ruby and show elevated is on |
bundle exec ruby -e "require 'puppet'; puts Puppet::Util::Windows::Process.elevated_security?" |
# true
|
For reference, the account should also display something similar to the following for whoami /all
USER INFORMATION |
---------------- |
|
User Name SID |
======================== ============================================ |
vagrant-2008r2\testadmin S-1-5-21-271343509-1886877197-423808128-4919 |
|
|
GROUP INFORMATION |
----------------- |
|
Group Name Type SID Attributes |
==================================================== ================ ============================================ ================================================== |
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group |
VAGRANT-2008R2\g45991a14-ee2d-48f6-925c-6ea809a5f994 Alias S-1-5-21-271343509-1886877197-423808128-4735 Mandatory group, Enabled by default, Enabled group |
VAGRANT-2008R2\TestGroup-PUP8231 Alias S-1-5-21-271343509-1886877197-423808128-4699 Mandatory group, Enabled by default, Enabled group |
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group |
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group |
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group |
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group |
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group |
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group |
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group |
Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group |
|
|
PRIVILEGES INFORMATION |
---------------------- |
|
Privilege Name Description State |
============================= ========================================= ======== |
SeChangeNotifyPrivilege Bypass traverse checking Enabled |
SeImpersonatePrivilege Impersonate a client after authentication Enabled |
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled |
|
C:\Windows\system32>
|
For reference, with the privilege removed, the output of whoami /all is nearly identical except for the SeImpersonatePrivilege assignment above and the Medium Mandatory Level set instead of the High Mandatory Level above.
Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group
|
There's a good tidbit about high integrity tokens not required to be in the Administrators group at https://stackoverflow.com/a/30970434
Another real-world example is at https://peter.hahndorf.eu/blog/elevate-nonadmin.html The MSDN documentation for the integrity mechanism is at https://msdn.microsoft.com/en-us/library/bb625963.aspx |
