On Wed, Nov 25, 2020 at 11:30 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On 11/25/20, Riccardo Paolo Bestetti <pbl@bestov.io> wrote:
> > On Wed Nov 25, 2020 at 2:08 AM CET, Jason A. Donenfeld wrote:
> >> Hi Riccardo,
> >>
> >> Interesting consideration. I didn't know that.
> > I didn't know that either until I tried to deploy WireGuard on a laptop
> > yesterday! It seems not to be documented anywhere.
> >
> > The group has been around since Windows XP afaik, however I have no idea
> > whether the associated licesing chicanery has also been around that long.
> >
> >>
> >> Can you not add that group manually need be?
> > I'm not an expert on Windows, but a quick lookup on the net suggests you
> > cannot create a local group with a specific SID.
>
> I'm not convinced this is the case. We're talking about a local group.
> Surely there's some on-disk representation of available groups and
> associations, no? This line of inquiry needs to be fully exhausted
> before we even consider alternatives.
>
> Has Microsoft documented this limitation?

Well, I made Network Configuration Operators work just fine on Windows
10 Home edition. Here are the steps I followed, which I'm sure I could
compress into a single powershell script or executable need be:

1. Download psexec from the sysinternals page:
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
2. Download nco.reg from the attachment in this email.
3. Open up an administrator console and type `psexec -i -s regedit`.
4. Choose File->Import and select the nco.reg file.
5. Add your user to the group like usual (e.g. `Add-LocalGroupMember
-Group "Network Configuration Operators" -Member MrDerp`).

I've confirmed that this works fine with the limited operator ui on
WireGuard for Windows 0.3.1.

Jason