On Mar 23 18:01, Brian Inglis wrote: > Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes: > > On Mar 23 12:35, Brian Inglis wrote: > >> Warren Young <wyml <at> etr-usa.com> writes: > >>> Confirmed, at least on Win10 64-bit without any AD mucking things up. > >>> That is, I get both 114 and 544 here, so I don’t need the 114 rule at all. > >> Opposite for me on Win7 x64 non-domain machine! > >> I am always a member of 544(Administrators) group and it is my default > >> primary group in normal non-admin and elevated admin shells. > >> In elevated admin shell, I am also a member of 114(Local account and > >> member of Administrators group) and 405504(High Mandatory Level) not > >> 401408(Medium Mandatory Level). > > > You have either some /etc/passwd, /etc/group settings overshadowing the > > default settings, or you used the "desc" method described in > > https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-desc > > to change your primary group. > > Otherwise your primary group is always "None", or the equivalent in your > > locale. The admins group is *never* the primary group, unless you > > messed with the settings for Cygwin as outlined above. > > If you're member in the Admins group, then the admins group is part of > > the non-elevated token, but only as "deny-only" group. That means, it's > > usually not shown in id, unless you made it primary group, in which case > > it has to be shown. > > You better remove this. I think I'll fix this function to not allow > > primary groups which are not enabled in the token.
The latest test release 2.5.0-0.9 now checks if the desired primary group is enabled in the token. If it's not enabled, as in the case of the admins group for non-elevated admin accounts, it refuses to change the primary group and keeps the default primary group intact. > net user /comment - thanks, that worked. > Removed comment (in elevated shell) and default became None. > Readded comment with Users and that became the default. > Will leave that there, as seeing None=="local non-domain accounts" bugs me, > and it seems stupid to default anything to local non-domain accounts only. > Is there a better consistent choice of dynamic group having elevated rights > on both local and domain systems than 544 e.g. 114 or 405504 or ? I don't understand the question. What counts is group 544, administrators. But there's no good reason to make this group your primary group. Membership is sufficient. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat
signature.asc
Description: PGP signature
