On Wed, Nov 25, 2020 at 7:04 PM Clint Dovholuk <[email protected]> wrote: > > Out of curiosity - why not just use " S-1-5-4" Interactive - " A group that > includes all users that have logged on interactively. Membership is > controlled by the operating system." > > If the user logged on - let the turn the tunnel on/off?
I guess that's the same argument as, "why doesn't Microsoft let users twiddle around with adapter settings and IP addresses if they're interactive?" Apparently there was some imperative for having control over this be more fine grained, so they provide the NCO group. Turning on and off WireGuard tunnels seems akin to disabling and enabling network adapters, in general, so linking the two seems coherent. More concretely, some folks are deploying WireGuard in a much more restricted setting, in which the end user has no control over when it goes up or down; that's all decided by some remote service out of the interactive user's purview. For some high sensitivity applications, not letting interactive users disable WireGuard is desirable. For other applications, it's the opposite. The NCO group seems to fit the level of granularity we're after.
