An application being elevated with AM can generate
System.Security.Principal.IdentityNotMappedExceptionexceptions (Some or all identity references could not be translated) which if unhandled will cause application crashes.
The following PowerShell command will generate an exception when executed in a URM elevated PowerShell process but not for a standard user or a UAC elevated PowerShell process:
foreach ($ref in [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups)
(new-object System.Security.Principal.SecurityIdentifier $ref.Value).Translate([System.Security.Principal.NTAccount]).ToString()
Application Manager adds a SID to the token of the process as a tag to indicate it has been elevated by AM.
This token doesn’t show in Process Explorer on un-elevated processes or UAC elevated processes and cannot be resolved to a local / builtin / domain group name.
Any script enumerating SIDs in this scenario need to have a catch which will catch the exception and moves onto the next SID if one cannot be resolved.
To workaround this issue, add a custom User Rights Policy to add the ‘BUILTIN\Administrators’ group and set the system privileges in the same way as the builtin elevate policy does.