ELEVATE_USER_TOKEN - UCMD Server configuration option
Description
The ELEVATE_USER_TOKEN option allows a process to execute with the highest privileges available to it; the UCMD server will execute the process with an elevated user token (that is, one not subject to User Account Control (UAC) restrictions).
Starting with Windows Vista, the Windows User Account Control (UAC) feature allows some privileged operations (for example, a process that takes ownership of a file) to execute only after receiving confirmation to do so. Windows obtains this confirmation when a user responds to a UAC prompt, thereby giving the application permission to proceed. This response elevates the user's access token to a fully-privileged token.
The non-interactive nature of a UCMD Server child processes prevents it from issuing the UAC elevation prompt, so any process that would normally require elevation may fail.
The ELEVATE_USER_TOKEN option solves this problem by instructing UCMD Server to obtain a user's elevated token and use it to execute the child process. This gives the process all privileges available to the user, not just those permitted by UAC.
Note
Setting this option will not provide the user with any additional privileges. It will simply enable all of the privileges that the user already has been granted.
Usage
Method | Syntax | IBM i | UNIX | Windows | z/OS |
Configuration File Keyword | elevate_user_token option |
| |||
Manager Override | elevate_user_token option |
|
Values
option specifies whether or not UCMD Server child processes execute with an elevated user token.
Valid values for option are:
- yes
Obtain an elevated user token and use it to execute the child process. - no
Execute the child process with a default user token. If that is not an elevated user token, some operations subject to UAC restrictions may fail.
Note
Some accounts - such as the built-in Administrator account - may already be fully elevated. Processes executed with this account may not need to set this option.
Default is no.