Article ID: 829805
Article Last Modified on 10/30/2006
APPLIES TO
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Service Pack 4
SUMMARY
The SeImpersonatePrivilege and the SeCreateGlobalPrivilege user rights are two new security settings that are introduced in Microsoft Windows 2000 Server Service Pack 4 (SP4).
For additional information about these new user rights, including a list of some known compatibility issues, click the following article number to view the article in the Microsoft Knowledge Base:
821546 Overview of the "Impersonate a Client After Authentication" and the "Create Global Objects" Security Settings
This article describes a method that is used to specify alternative default settings for these two user rights during the set up of Windows 2000 Server SP4. The procedure that is described should only be used as a last resort. Generally, it is best to use Active Directory Group Policy objects (GPOs) to change these security settings after you install Windows 2000 Server SP4. However, sometimes there may be situations where Active Directory GPOs are not available, for example, in a Novell NDS environment.
Note This information applies only to Windows 2000 Server SP4. The process is subject to change and may not work with upcoming service packs.
MORE INFORMATION
To change the default settings of the SeImpersonatePrivilege and the SeCreateGlobalPrivilege user rights, follow these steps.
Note Microsoft recommends that you create a script or a program to automatically perform these steps.
- Run the Windows 2000 Server SP4 update in silent mode without performing an automatic restart.
To do so, you can use the Update.exe command with the -q switch and the -z switch (update.exe -q –z). - After the Windows 2000 Server SP4 update is completed and before you restart the computer, the "%windir%\system32\spupdsvc.inf" file will contain a section that is similar to the following:
[ProcessesToRunAfterReboot]
C:\WINNT\system32\secedit.exe /configure /cfg C:\WINNT\inf\spsecupd.inf /db
C:\WINNT\security\templates\spsecupd.sdb /log C:\WINNT\security\logs\spsecupd.log
C:\WINNT\system32\spupdw2k.exe
Modify the [ProcessesToRunAfterReboot] section to append a command that alters the security settings of the SeImpersonatePrivilege and the SeCreateGlobalPrivilege user rights.
Example (note the last line):
[ProcessesToRunAfterReboot]
C:\WINNT\system32\secedit.exe /configure /cfg C:\WINNT\inf\spsecupd.inf /db
C:\WINNT\security\templates\spsecupd.sdb /log C:\WINNT\security\logs\spsecupd.log
C:\WINNT\system32\spupdw2k.exe
C:\Program Files\Resource Kit\ntrights.exe -u users +r SeImpersonatePrivilege
It is very important that the command that alters the security settings is added as the last entry in the section.
Note The Spupdsvc.inf file only exists after Windows 2000 Server SP4 is installed, and only until the next computer restart. After a restart, the file will be deleted. The Spupdsvc.inf file is created on the fly and depends on the actual configuration of the computer. Therefore, you must not copy a pretreated version because it may not work with all installations. Also, you cannot use environment variables such as %windir%. Only absolute paths will work.
For additional information about the use of the Ntrights.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:279664 How to Set Logon User Rights with the Ntrights.exe Utility
- Force a restart of the computer.
During system startup, a service (Spupdsvc.exe) is started that executes the commands in the [ProcessesToRunAfterReboot] section, one after another, with system account credentials.
Keywords: kbhowto KB829805
