I ended up running the code in a sandboxed application domain as described in the link:
How to: Run Partially Trusted Code in a Sandbox
http://msdn.microsoft.com/en-us/library/bb763046%28v=vs.100%29.aspx
Вопрос
The scenario is that I am running a service as admin.
We have a callout that runs custom code ( think scripting ). It uses codedom compiling to create an assembly and create a type and invoke a method (based on code).
I want to temporarily drop admin privileges for the duration of the callout and then restore them afterwards.
Решение 2
I ended up running the code in a sandboxed application domain as described in the link:
How to: Run Partially Trusted Code in a Sandbox
http://msdn.microsoft.com/en-us/library/bb763046%28v=vs.100%29.aspx
Другие советы
I don't think you can "drop" privileges in the way you describe; your service is running as a user, and that user is allowed a certain amount of access. You can ask Windows to temporarily grant you more permissions (which is what UAC is all about) but you can't ask it to give you less!
I would create a second user in the system for the purposes of running the scripts (with an appropriately lower level of access) and impersonate that user for the duration of the custom code.
[edit] Turns out I don't know what I'm talking about. According to this link, UAC is implemented in the reverse manner, by creating a restricted set of permissions and running the code in that context.