This happened (explanation on how we got to this below):
PS C:\> Add-LocalGroupMember -Group "Network Configuration Operators" -Member myuser
Add-LocalGroupMember : MYLAPTOP\myuser is already a member of group Network Configuration Operators.
At line:1 char:1
+ Add-LocalGroupMember -Group "Network Configuration Operators" -Member ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceExists: (Network Configuration Operators:String) [Add-LocalGroupMember], MemberE
xistsException
+ FullyQualifiedErrorId : MemberExists,Microsoft.PowerShell.Commands.AddLocalGroupMemberCommand
PS C:\> Remove-LocalGroupMember -Group "Network Configuration Operators" -Member myuser
Remove-LocalGroupMember : Member MYLAPTOP\myuser was not found in group Network Configuration Operators.
At line:1 char:1
+ Remove-LocalGroupMember -Group "Network Configuration Operators" -Mem ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (MYLAPTOP\myuser:String) [Remove-LocalGroupMember], MemberNotFoundExcep
tion
+ FullyQualifiedErrorId : MemberNotFound,Microsoft.PowerShell.Commands.RemoveLocalGroupMemberCommandon how we g
Basically if I try to add myself to the "Network Configuration Operators" I'm told I'm already a member of it. If I try to remove myself from the group I'm told I'm NOT a member of it. Also verified by:
PS C:\> Get-LocalGroupMember "Administrators"
ObjectClass Name PrincipalSource
----------- ---- ---------------
User MYLAPTOP\Administrator Local
User MYLAPTOP\root Local
PS C:\> Get-LocalGroupMember "Network Configuration Operators"
PS C:\>
How did I get to this? How did I achieve Windows Quantum edition?
Well, first of all my computer has Windows Home edition. When setting up I create an account with username "root" that is in the Administrators group. Then I create an additional account "myuser' which is NOT an administrator and do my day-to-day with that account. This has always worked well for me until WireGuard.
WireGuard does not allow non-administrators to use it. In order to allow a non-admin to turn tunnels on/off they decided to check for user membership to the "Network Configuration Operators" group. I was following the instructions in this blog which mentioned this and decided to add "myuser" to that group.
IMPORTANT: At this point I realise the group does not exist. Fine, I'll just create it! I ran New-LocalGroup "Network Configuration Operators"
and then Add-LocalGroupMember -Group "Network Configuration Operators" myuser
. So this is important because at this point I was in a consistent state: Get-LocalGroupMember "Network Configuration Operators"
showed the group with me in it.
I rebooted and tried to launch WireGuard but got the same error (I'm not an admin). Digging around I found the explanation: the group was supposed to pre-exist with a specific SID, but this is true for all editions of Windows EXCEPT the Windows Home edition (which I am using). Fortunately a solution is provided in this message: someone posted a registry file (attachment.bin at the bottom of the message, or direct link to it in attachment) that creates the group properly, with the appropriate SID which must be S-1-5-32-556
and then you should be good to go!
IMPORTANT: This is where I think things went bad. I just ran Remove-LocalGroup -Name "Network Configuration Operators"
while I was still a member. I would expect this just removes the membership? Anyway, next step was to import the attachment with reg import attachment.bin.reg
which gave me:
PS C:\> Get-LocalGroup "Network Configuration Operators"
Name Description
---- -----------
Network Configuration Operators Members in this group can have some administrative privileges to manage configuratio...
THIS IS WHERE THE ISSUE APPEARED: I tried the commands at the top of the post, to add myself to the group and Windows replied: "you're already in it". I tried to remove myself from it, and get a list of members, and Windows said: "you're not in it".
I rebooted. (it's my go-to move)
Computer says no. (it's Window's go-to move).
So, any ideas what to do next? I was thinking of deleting the registry content that the attachement created so that the special group disappears? But what next? Shall I recreate a local group with New-LocalGroup with the same name (and hope I show up as a member)? Will re-creating the group not give it a totally new SID?
How do I fix this invalid state?
I should clarify that this is Windows 11 home edition! The computer management and "lusrmgr.msc" do not seem to work at all. Computer management has no local users / groups. Running "lusrmgr.msc" displays a message saying it has been removed in this edition of Windows...