Two (separate) Windows Server 2008 Enterprise Terminal Servers. Regular (domain) users run in the expected medium integrity level on one, but high on the other. The local group membership is identical. What, other than local group membership, can cause a regular user account to run in the "high mandagory level" instead of the "medium mandatory level"? Local policies? UAC settings? (Looking at the Control Panel, UAC is turned off on both) This is whoami /groups taken from the server with the unexpected behaviour. As you can see, the user is not a member of any groups considered high privilege, yet the integrity level is: High Mandatory Level Domain groups filtered to protect the innocent. GROUP INFORMATION ----------------- Group Name Type SID Attributes ======================================= ================ ======================= ======================= ======================================================== ======= Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288 Mandatory group, Enabled by default, Enabled group, Local Group How does a seemingly regular user account end up with "Mandatory Label\High Mandatory Level"? whoami /groups taken from the server with the expected behaviour: GROUP INFORMATION ----------------- Group Name Type SID Attributes ======================================= ================ ======================= ======================= ======================================================== ======= Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Unknown SID type S-1-16-8192 Mandatory group, Enabled by default, Enabled group, Local Group The only difference is the order BUILTIN\Remote Desktop Users and BUILTIN\Users is listed in. Andreas Hultgren MCTS, MCITP http://ahultgren.blogspot.com/

FYI: One difference is the service pack. The one that works as expected is SP1, the other one that's showing odd behaviour is SP2. Anyone have ideas? Andreas Hultgren MCTS, MCITP http://ahultgren.blogspot.com/

shit, interesting, but I am not the one with any ideas :-) I would try my luck with some High process starting the child processes. Or, it now occured to me, go and check with CHML level of the CMD and WHOAMI executables. It may be that only the two (or WHOAMI alone) are running at HIGH. I would also use Process Explorer to investigate group memberships and levels of other processes of the same user. ondrej.

Yeah, all processes for the user are running with high integrity level.Andreas Hultgren MCTS, MCITP http://ahultgren.blogspot.com/

and does the process epxlorer show what process they were started from? ... the tree structure. ondrej.

Everything is running as "High" (or "System", nothing at all is "Medium" or "Low", for any user), explorer.exe included, which has userinit.exe as parent. CHML shows the same output for both servers: File C:\Windows\explorer.exe's integrity level: Unknown ("unknown" because SDDL string was "S:AI".) Inheritance flags: Integrity policies: No read up: disabled No execute up: disabled No write up: disabled (Actually, in this "no policy" case, Windows seems to behave as if there is a "no write up" policy in effect.) It's the same output for userinit.exe. Icacls does not show integrity level for either executable. This is quite interesting, to say the least.Andreas Hultgren MCTS, MCITP http://ahultgren.blogspot.com/

veery interesting, we can ask support if they offer any hint? ondrej.

Andreas Did you find out what caused the integrity level ? I seem to have the same problem. Gr, Iwan

Hi, No, unfortunately not. This one still eludes me. Out of curiosity, how did you notice this behavior on your server? Andreas Hultgren MCTS, MCITP http://ahultgren.blogspot.com/