admin privileges when logging in by ssh?

Andrew Schulman
Fri Oct 14 15:19:00 GMT 2011

> Does Windows 7 Home Premium come with a native whoami?

Yes, it does.  So here's what I've found.  I have two users, who get
different results.

(1) User admin is a member of the Administrators group.  He gets the 
expected results:  whether he logs in by password or pubkey authentication,
he can use his administrative privileges.

(2) User backup is a "standard user", not a member of the Administrators 
group.  This is by design, to create a minimally privileged backup user.  
He has been separately granted SeBackupPrivilege and SeRestorePrivilege via 

When user backup logs in by ssh, he gets different results:

  * If he logs in by password authentication, then whoami /all shows 
the right user name and privileges, and he can use the privileges.  See 
Listing 1 below.  So this is fine.
  * If he logs in by pubkey authentication, he doesn't get the backup and
restore privileges.  See Listing 2 below.  This is confirmed by e.g.

backup@sulfur ~
$ cat /etc/ssh_host_dsa_key
cat: /etc/ssh_host_dsa_key: Permission denied

So the difference AFAICT is the membership in the Administrators group.
Notice also in the two listings below, that by password authentication,
backup gets

Mandatory Label\High Mandatory Level

while by pubkey, he gets

Mandatory Label\Medium Mandatory Level

whatever those are.

The usual advice for creating backup users is to make them members of the
"Backup operators" group, so that they get all of the required privileges
for backup.  But this isn't possible in the "Home" editions of Windows 7:
there's no Backup operators group, and you're not allowed to create one.
So I had to fall back to a standard user with an additional grant of
SeBackupPrivilege and SeRestorePrivilege.  I also tried adding a few more


but it didn't help.


LISTING 1: password authentication

backup@sulfur ~
$ /win/c/Windows/System32/whoami /all


User Name     SID                                          
============= =============================================
sulfur\backup S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx


Group Name                           Type             SID                                           Attributes                                        
==================================== ================ ============================================= ==================================================
Everyone                             Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
SULFUR\HomeUsers                     Alias            S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE             Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                  Mandatory group, Enabled by default, Enabled group


Privilege Name                Description                          State   
============================= ==================================== ========
SeBackupPrivilege             Back up files and directories        Enabled 
SeRestorePrivilege            Restore files and directories        Enabled 
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

LISTING 2: pubkey authentication

backup@sulfur ~
$ /win/c/Windows/System32/whoami /all


User Name         SID                                          
================= =============================================
sulfur\cyg_server S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx


Group Name                             Type             SID                                           Attributes                                        
====================================== ================ ============================================= ==================================================
Everyone                               Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
SULFUR\HomeUsers                       Alias            S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                   Mandatory group, Enabled by default, Enabled group


Privilege Name                Description                               State   
============================= ========================================= ========
SeBackupPrivilege             Back up files and directories             Disabled
SeRestorePrivilege            Restore files and directories             Disabled
SeShutdownPrivilege           Shut down the system                      Enabled 
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Disabled
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled 
SeTimeZonePrivilege           Change the time zone                      Enabled 

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list