Premissions needed to launch COM as "The launching user" identity?

Question

Solved: added full control over C:\Program Files\Application folder to group containing "The launching user".

Using dcomcnfg I can configure a application identity, when launched from another application as COM.

When The launching user user is member of Administrators group my application can create COM object, but I want that my user have as low permissions as possible.

Using secpol I have added group with my user to:

Impersonate a client after authentication
Log on as batch job (needed for non interactive session)
Log on as service (needed, my application runs as service)
Obtain an impersonation token (...)

But that not resolved my problem. What secpol or other permissions are needed?

Note: I can't use other Identity options, It must be launching user.

score 1 · Accepted Answer · answered Nov 16 '18 at 19:27

You need to change the security settings for the COM object itself. By default the Administrators group has Full permissions and the Users group has read. Here's the delta in permissions. You'll have to experiment with the perms to get the minimum you need.

Permissions  Admins Users
Full Control    +   -
Query Value     +   +
Set Value       +   -
Create Subkey   +   -
Enum Subkeys    +   +
Notify          +   +
Create Link     +   -
Delete          +   -
Write DAC       +   +
Write Owner     +   +
Read Control    +   +

I'll try with Subinacl http://www.robvanderwoude.com/subinacl.php — Tomasito, Nov 16 '18 at 22:08

Premissions needed to launch COM as "The launching user" identity?

1 Answers1