" Drop My Rights " and LUA ?

Is there any benefit to using Drop My Rights on Windows *and* running as a Standard User Account?

 

Re: "Drop My Rights" *and* LUA?

When you login (are authenticated) you receive a security descriptor token, which describes your rights. When you create a process, this token is given to the process, and that process gives it to proceses it starts as well.

When you are a member of a group like Admins, your token has values that state this, and the system understands by your token what rights you have. When you login as a member of both User and Admins, you get the rights of Admins still.

When you use LUA, you are only a member of Users (typically) and not Admins. In this manner your security token reflects the rights the User group has.

DropMyRights will, upon creating of a process, give that process the security descriptor token of a Basic User normally. There are other options, but aren't used much. Once a process, created by an Admin, is created with DropMyRights, it behaves the same as a User because it now has a token that is more or less a Users token.

I would say that unless you are going to use DMR with one of the other values it is capable of, it is redundant. However, there might be some settings in your particular user account that would not be present in a 'default user' account that DMR uses. That might be a reason to use it, it depends on if you have customized rights for your user account.

Sul.