This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Change PS1 when run as administrator
- From: Brian Inglis <Brian dot Inglis at SystematicSw dot ab dot ca>
- To: cygwin at cygwin dot com
- Date: Wed, 23 Mar 2016 18:01:02 +0000 (UTC)
- Subject: Re: Change PS1 when run as administrator
- Authentication-results: sourceware.org; auth=none
- References: <F7CDFE45-BFA7-4599-B510-B40BCA19142F at etr-usa dot com> <28210846 dot 20160315202354 at yandex dot ru> <87mvpz1ong dot fsf at Rainer dot invalid> <0F37E0B7-A313-49F2-BAFD-59A7A144BD8C at etr-usa dot com> <loom dot 20160323T125711-592 at post dot gmane dot org> <20160323141740 dot GT14892 at calimero dot vinschen dot de>
Corinna Vinschen <corinna-cygwin <at> cygwin.com> writes:
> On Mar 23 12:35, Brian Inglis wrote:
>> Warren Young <wyml <at> etr-usa.com> writes:
>>> Confirmed, at least on Win10 64-bit without any AD mucking things up.
>>> That is, I get both 114 and 544 here, so I donât need the 114 rule at all.
>> Opposite for me on Win7 x64 non-domain machine!
>> I am always a member of 544(Administrators) group and it is my default
>> primary group in normal non-admin and elevated admin shells.
>> In elevated admin shell, I am also a member of 114(Local account and
>> member of Administrators group) and 405504(High Mandatory Level) not
>> 401408(Medium Mandatory Level).
> You have either some /etc/passwd, /etc/group settings overshadowing the
> default settings, or you used the "desc" method described in
> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-desc
> to change your primary group.
> Otherwise your primary group is always "None", or the equivalent in your
> locale. The admins group is *never* the primary group, unless you
> messed with the settings for Cygwin as outlined above.
> If you're member in the Admins group, then the admins group is part of
> the non-elevated token, but only as "deny-only" group. That means, it's
> usually not shown in id, unless you made it primary group, in which case
> it has to be shown.
> You better remove this. I think I'll fix this function to not allow
> primary groups which are not enabled in the token.
net user /comment - thanks, that worked.
Removed comment (in elevated shell) and default became None.
Readded comment with Users and that became the default.
Will leave that there, as seeing None=="local non-domain accounts" bugs me,
and it seems stupid to default anything to local non-domain accounts only.
Is there a better consistent choice of dynamic group having elevated rights
on both local and domain systems than 544 e.g. 114 or 405504 or ?