Unable to start Docker without AD domain connection

[slafave]

Expected behavior

When running outside my company network with my VPN disconnected, I should be able to start and use Docker.

Actual behavior

After updating to the newest edge build, 17.06.0-rc1-ce-win13 (12433), I get an error "Unable to start Docker, you must be part of the docker-users group". It is only when I connect my VPN or connect to the internal company network, thereby getting a connection to a domain controller, that I can start docker. My AD account is indeed part of the local docker-users group, but the docker startup security check seems to only validate that local group membership if it can verify my AD account with an AD DC.

Information

• A5DA733E-F0E6-4FCE-9066-01021758BEA2/2017-06-01_13-40-30
• Windows 10 Enterprise 1703 Build 15063.332

Steps to reproduce the behavior

1. Update to the latest edge version, 17.06.0-rc1-ce-win13 (12433)
2. Start your machine without a connection to your company AD
3. Try and run Docker, receive the "not in docker-users group" message
4. Connect VPN or connect to company internal network.
5. Start Docker - this time it starts and is usable

[jasonbivins]

Hi @slafave thanks for posting this.

I am able to reproduce this so I'll go ahead and report it as a bug. We should have a fix out for it soon.

As a possible workaround for your problem - Make sure your local windows user on your laptop is a part of the docker-users local group. You should see it in computer management.

Thanks! Jason

[gregpakes]

I have the same issue, but my machine is not Domain-Joined. It is workplace-joined, so I am skeptical about access to the DC's being a factor for me.

Sadly, I am unable to test as I have downgraded to the stable version, as I need to use Docker today.

[QAnders]

This is an issue for me too. Exact same behaviour and it runs fine if I connect to corporate VPN. I have access to Users and Groups on my local laptop (Admin) but when disconnecting VPN the "local user" is no longer authorized to run Docker.

[MartinGroh]

I have the same problem as well. I use AzureAD.

For the workaround. I put my user in a local “docker-users” group, but to no avail. I tried to add my local admin account and lunched run docker as admin, but the result is the same.

[jasonbivins]

Hi @MartinGroh Did you add your local admin account, or your actual local user account to the docker users group? I'm able to work around the issue by adding my local user account.

[devsaurabh]

Tried to run it as Run as different user and provided credentials for another local user account (COMPUTER_NAME\{your_local_user_account}) which is member of docker-user group. It worked. Though not sure, rest will run as expected or not.

[MartinGroh]

@jasonbivins

I run as my Azure user, so the “only” local user I have is the admin. I have both my Azure user in the local “docker-users” group and admin. I tried to run docker from my admin user after adding the account to the group, but I get the same message, that I’m not in the “docker-users” group.

[friism]

@gregpakes @MartinGroh if you haven't already, can you please run diagnostics and post the diagnostic id so we have details for debugging.

[jasonbivins]

Hi @MartinGroh Are you locked out entirely from Docker, or are you able to access when connected to your domain?

[chvndb]

@jasonbivins it works when connected to the domain. It is possible to disconnect once docker runs, but restarting requires again to be connected to the domain.

[jasonbivins]

@chvndb Have you tried the workaround with the local users group? I'm curious to see how that affects the login problem.

[roysbailey]

Exactly the same issue. I am completely locked out of docker now. I am not local domain joined, I am running Windows 10 with an office 365 account (so AzureAD). I cannot run docker at all, so I am unclear as to how I will get an update to fix this, as usually docker updates itself when it runs (and it wont run to get the update).

How would you advise me to move forward from this position? Do I need to go back a version? If so, how would I do that?

p.s. I have tried the workaround with adding my user to the local docker group, and that makes no difference (infact, my user was already in that group).

Thanks...

[gregpakes]

@roysbailey - I'm not sure what the official advice will be, but I just downgraded docker to the current stable. Uninstall + reinstall.

[roysbailey]

Thanks @gregpakes... Do you have a link to the version you went back to? Thanks!

[gregpakes]

@roysbailey The stable channel. This issue only exists on the Edge channel.

[roysbailey]

Thanks @gregpakes .

I have switched over to the stable channel and I am back up and running.

Cheers, Roy.

[planetf1]

I don't seem to be able to start docker at all. Not only do I get the message at startup, but also if trying to start docker later

I can't use a local user. The id in question is apparently setup for PIN only - no password exists (in case that's a factor).

[jayfresh]

I just installed the latest Docker update that flashed up today (I had previously downgraded to the stable version) and this problem is still there for me. I use AzureAD to login to the computer - it's not clear I can add myself to the docker-users group...

I am able to run docker as our AzureAD administrator, which is in the docker-users group, by right-clicking Docker for Windows and opting to run as administrator. But then I can't run the docker commands from a non-admin shell - loading up a powershell as admin and running docker looked like it was going to work but triggered a security warning about vpnkit. At this point, I thought I'd downgrade back to the stable branch, but this feature is now in the stable branch so I'm currently having to hunt for previous versions. Boo!

[VecchioIdraulico]

I'm in a similar situation after this morning's update: I'm not a domain admin on my office network, so I cannot add myself to a user group. Running the software as an administrator is, obviously enough, poor security practice.

I'd like to roll back to an earlier version until this issue is resolved: Is there one available for download?

[simonferquel]

Have you tried to log out and re-log in before running Docker for Windows ? Group membership update requires the user to re-log in to happen.

[htuomola]

@jayfresh I got the same error but I added "Authenticated Users" group to Docker-users and restarted laptop and it started now. Not sure which it was, could've just been the logout/login alone (for the direct user membership to docker-users to take effect).

@VecchioIdraulico not sure about your setup but docker-users is a local group, not a domain group so local admin rights should be enough to add yourself into it?

Related to this, I thought that it'd be easy to return to older version but can't actually find them anywhere. Are they somewhere? That should be basic stuff to keep them around in case there are any breaking changes.

[VecchioIdraulico]

@htuomola Thanks. It's a corporate account, and I'm not able to administer it. (That's good security practice in my working context.) I can run Docker as a local admin, but that's not entirely safe. Trying @simonferquel's suggestion - for which, also, thanks - just gets me a toast notification that I can't run Docker because I'm not in the appropriate group.

[zhaoqin-github]

I also encounter this problem, after upgrading my docker to version 17.06.0-ce-win18 today. The lower version used to work well on my Windows 10, but the new version can not. I am also a Azure AD user, and can not login Windows as a local user. I see that the Azure user id does exist in docker-users group.

[htuomola]

@chaochin-github I had the identical setup to yours. Did you try what I suggested above (restart or add all users to docker-users). @VecchioIdraulico not sure if it can be locked down but docker-users is a local group so modifying it normally requires only local admin rights

[zhaoqin-github]

@htuomola Do you mean restart docker service? Or restart Windows 10?

[htuomola]

@chaochin-github Windows (or log out and log back in). Group memberships require relogin to update, AFAIK.

[zhaoqin-github]

@htuomola After I logout and login again, I am able to start Docker! Thank you very much!!

[Vishwa221]

@htuomola thanks a lot. Logging out worked!!!

[henriquedesousa]

My fix was to add the "Everyone" group to the docker-users group.

[LyalinDotCom]

Hit the same issue on fresh installer of Docker Tools on my Windows 10 dev box at home, will try the work around's suggested.

[dsschnau]

I encountered this issue and a logout/login resolved it.

[dinesarun]

If we get this issue fixed soon, it will be better and easy for windows users to kick start with Docker..

[Ben-m-s]

Same issue here. Thanks, guys, for working on a solution. Very useful.

[certik]

I use the latest stable version of Docker on Windows 10, can run Docker under an admin account, but not under my user account (which is in the docker-users group, and yes, I restarted several times), it gives the error "Unable to start Docker, you must be part of the docker-users group".

At the very least, this error message is misleading, as I am in fact "part of the docker-users group".

Workaround: I added "Authenticated Users" group to docker-users, and now it works! Thanks to @htuomola.

[duncancoppedge]

Upgraded to 17.09.0-ce-win32 (13529) on win10 enterprise 1607 (14393.1715) today. I was connected to my company's AD. Same error. Restarted several times. Run as admin didn't work.
Workaround: added my AD user to the docker-users group.
There were no other users or groups assigned to the docker-users other than NT AUTHORITY\SYSTEM (S-1-5-18)

[drlukeangel]

Main issue above replicated as AzureAD user was not by able to share a drive even as admin of computer. windows version 10 .0.15063.0 In response to @duncancoppedge his post led me to the correct action. my azuread/{user} was in the docker-users group and it was not working added the docker-users group as full permission to drive and that seemed to work.

[dl7631]

Guys, I am having the same issue. Could anyone please explain how one can add oneself to the docker-users group? What are the actual steps? Thank you

[jasonbivins]

@dl7631 The docker-users group is a local users group on your machine. You can add yourself to it through the Windows GUI here

[drlukeangel]

alternatively if you can create a local user admin on the machine and install it that user and share your dirve it will also work.

[ddamerell53]

Adding "Local account" to docker-users solved the problem for me. Though I'm sure that probably opens up security issues.

[GreenSpecialist]

Still an issue. I even added everyone to the docker-users group and it doesnt work

[khteh]

Docker version 18.03.1-ce, build 9ee9f40 still has the issue. All users are added to docker-users group!!!

[khteh]

Resolved. I must login to active directory and add myself into docker-users group. I was using local account and that's why it failed.

[nfunky]

In certain Windows versions you might not have the "Local Users and Groups" option in the Computer Management. I used the following command to add my username to the docker user group: net localgroup "docker-users" "username" /add

[RobertMara]

Thank you @nfunky. That solved my problem. I'm working on a personal laptop and didn't have Local Users and Groups.

[jamesz]

For those using AzureAD as domain and thus can't find your user in the Local Users and Groups, try reinstalling Docker Desktop while logged in as your AzureAD user. That worked for me.

[BobBuildingCode]

If you're using AzureAD, you can also try adding the account with net localgroup (even if you can't find the user in Local Users and Groups): net localgroup "docker-users" "AzureAD\user@domain.com" /add

[bsunderhus]

Is there any updates for this issue? I'm having the same problem with an external user, although my user is already in the group, I still can't run docker

[lysaali50]

I'm new to this. I don't have a work/school email but do want to set up docker for home media sharing for fun with nextcloud

i logged in with my google account on docker, but it keeps crashing for some reason? I've been following Raid Owl's guide on youtube, https://youtu.be/rmVCtZrtvgA?si=EyPwK2NwFgDJTCln

not sure why docker keeps crashing on me? do i need an active directory? what's the simplest way i can work around this?

last thing: I'm using a windows 11 laptop with a Ryzen 7 processor

[achur00]

I was able to resolve the issue, Thanks to @htuomola idea, STEPS 1.Go to windows computer management

2. include authenticated-user to docker-users group
3. Restart your computer