On Sat, Aug 19, 2023 at 2:15 AM ASSI wrote: Windows really doesn't have a defined notion of what is or is not an > "administrator". Each particular definition will be insufficient or > invalid in certain contexts. >
There is a definition of administrator in Windows: Your account is a member, either directly or indirectly, of the Administrators group (SID 1-5-32-544). With the introduction of User Account Control (UAC) in Windows Vista, if you log on as a member of this group, processes are normally started with the Administrators group disabled (i.e, the process is not running as a member of Administrators). The "run as administrator" action starts a process with the group enabled. This is commonly referred to as "elevation." [Side note: As I understand it, one of the reasons UAC was introduced was made was to break (some?) software developers' habits of assuming their programs run as administrator, and to choose better data storage paths, registry paths, etc. See https://techcommunity.microsoft.com/t5/windows-blog-archive/faq-why-can-8217-t-i-bypass-the-uac-prompt/ba-p/701510 for a nice summary. Also helpful is the current docs on SIDs: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers ] On a domain, the Domain Admins group (which has a relative identifier, or RID, of 512) is by default a member of the Administrators group. The Administrators group is still there (same SID, S-1-5-32-544), and is called a "Domain Local Security Group" (i.e., it's a local group that's shared by all domain controllers.) Hope this helps clarify. Bill -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
