Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes: > On Mar 23 12:35, Brian Inglis wrote: >> Warren Young <wyml <at> etr-usa.com> writes: >>> Confirmed, at least on Win10 64-bit without any AD mucking things up. >>> That is, I get both 114 and 544 here, so I don’t need the 114 rule at all. >> Opposite for me on Win7 x64 non-domain machine! >> I am always a member of 544(Administrators) group and it is my default >> primary group in normal non-admin and elevated admin shells. >> In elevated admin shell, I am also a member of 114(Local account and >> member of Administrators group) and 405504(High Mandatory Level) not >> 401408(Medium Mandatory Level).
> You have either some /etc/passwd, /etc/group settings overshadowing the > default settings, or you used the "desc" method described in > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-desc > to change your primary group. > Otherwise your primary group is always "None", or the equivalent in your > locale. The admins group is *never* the primary group, unless you > messed with the settings for Cygwin as outlined above. > If you're member in the Admins group, then the admins group is part of > the non-elevated token, but only as "deny-only" group. That means, it's > usually not shown in id, unless you made it primary group, in which case > it has to be shown. > You better remove this. I think I'll fix this function to not allow > primary groups which are not enabled in the token. net user /comment - thanks, that worked. Removed comment (in elevated shell) and default became None. Readded comment with Users and that became the default. Will leave that there, as seeing None=="local non-domain accounts" bugs me, and it seems stupid to default anything to local non-domain accounts only. Is there a better consistent choice of dynamic group having elevated rights on both local and domain systems than 544 e.g. 114 or 405504 or ?
