Issue: Error: Setting token failed

[GrimDemon]

Hi @gerardog. Sorry for the late reply, I was on vacation. I confirm that the attached mode (gsudo config ForceAttachedConsole True) is working properly. It is sufficient for my actions - elevation of privileges, then launching the application (in fact, I do not use redirection).

If you would still like to analyze my problem witch TokenSwitch mode, I was able to dump the Procmon logfile ➡ Logfile.zip. I didn't notice anything related to gsudo in the Event Viewer.

Originally posted by @GrimDemon in #140 (comment)

[GrimDemon]

I created a new issue because I couldn't reach you through the old one. As a reporter, I am unable to reopen my original issue.

In gsudo v1.5.1 my problem persists, although the error code is different. Here are the screenshots and the Process Monitor log for the current gsudo version for your reference.

I know you've been busy rewriting gsudo to .NET 7.0 and ahead of time compilation topics. If you can take the time to analyze my problem, I would be very grateful.

[gerardog]

Hi @GrimDemon, I've looked at the Logfile, and unfortunatelly I couldn't find a clue of what's going on.
You may want to detail how you installed your system, is it AD Joined? has special group policy? installed some security or antivirus software?
Anything that could help me reproduce the problem.
Thanks

[gerardog]

Can you please open Local Security Policy, navigate to Local Policies -> User Right Assignments, then right click on an empty space on the right panel and select Export List. Paste the list contents here please. Below is my machine settings:

Policy	Security Setting
Access Credential Manager as a trusted caller
Access this computer from the network	Everyone,Administrators,Users,Backup Operators
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process	LOCAL SERVICE,NETWORK SERVICE,Administrators
Allow log on locally	Guest,Administrators,Users,Backup Operators
Allow log on through Remote Desktop Services	Administrators,Remote Desktop Users
Back up files and directories	Administrators,Backup Operators
Bypass traverse checking	Everyone,LOCAL SERVICE,NETWORK SERVICE,Administrators,Users,Backup Operators
Change the system time	LOCAL SERVICE,Administrators
Change the time zone	LOCAL SERVICE,Administrators,Users
Create a pagefile	Administrators
Create a token object
Create global objects	LOCAL SERVICE,NETWORK SERVICE,Administrators,SERVICE
Create permanent shared objects
Create symbolic links	Administrators,NT VIRTUAL MACHINE\Virtual Machines
Debug programs	Administrators
Deny access to this computer from the network	Guest
Deny log on as a batch job
Deny log on as a service
Deny log on locally	Guest
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system	Administrators
Generate security audits	LOCAL SERVICE,NETWORK SERVICE
Impersonate a client after authentication	LOCAL SERVICE,NETWORK SERVICE,Administrators,SERVICE
Increase a process working set	Users
Increase scheduling priority	Administrators,Window Manager\Window Manager Group
Load and unload device drivers	Administrators
Lock pages in memory
Log on as a batch job	Administrators,Backup Operators,Performance Log Users
Log on as a service	NT SERVICE\ALL SERVICES,NT VIRTUAL MACHINE\Virtual Machines
Manage auditing and security log	Administrators
Modify an object label
Modify firmware environment values	Administrators
Obtain an impersonation token for another user in the same session	Administrators
Perform volume maintenance tasks	Administrators
Profile single process	Administrators
Profile system performance	Administrators,NT SERVICE\WdiServiceHost
Remove computer from docking station	Administrators,Users

[gerardog]

Anyone having this problem, please dump your Local Security Policy here.

[gerardog]

Hi @GrimDemon, is this still an issue?
Were you able to export the policy?

[GrimDemon]

Hi @gerardog, I'm sorry for the lack of response. I left this problem and did not go back to it until now.
I compared the User Rights Assignment list on two different computers. In the problematic system I had to add Administrators group to Debug programs and Obtain an impersonation token (...) policies. Now gsudo works fine with default settings.
Thank you very much for your help!

[gerardog]

Understood! great to know we found the root cause!
Do you know who modified that policy, or why? May be part of some common practice and being aware of that may help me understand/document better the scenario.

[GrimDemon]

Unfortunately, I'm not able to help you. Both computers are my private property. They were never connected to AD. I don't remember ever modifying the list of these policies myself. It seems to me that this action could've been taken by one of the "smart" Windows cleaners/optimizers like CCleaner or Ashampoo WinOptimizer. I haven't used such software for a long time, so I can't say exactly which program made these changes.

[gerardog]

No problem. You actually helped much! Now I know where to look at when this error shows up.