Non-default user is not added to LOCAL group (S-1-2-0)

[kosvar]

Description Hey, i've been trying to run Docker container with local user without admin privileges. For that i created a dockerfile such as:

FROM microsoft/windowsservercore:10.0.14393.2608
RUN NET USER tester /add
RUN net accounts /MaxPWAge:unlimited
USER tester

But when running as "tester" user, this user is not added to LOCAL group (S-1-2-0) in windows. Does anyone know why or what's the workaround for this to behave as normal? containeradministrator user does not pose this issue and is correctly added to LOCAL group

Steps to reproduce the issue:

1. Build the image
2. Run the image (docker run -it cmd)
3. run "whoami /all" inside container

Describe the results you received: tester user is not in LOCAL group (s-1-2-0)

Describe the results you expected: Tester user is a member of LOCAL group (s-1-2-0)

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.0-rc2
 API version:       1.40
 Go version:        go1.12.5
 Git commit:        f97efcc
 Built:             Wed Jun  5 01:37:59 2019
 OS/Arch:           windows/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.0-rc2
  API version:      1.40 (minimum version 1.24)
  Go version:       go1.12.5
  Git commit:       f97efcc
  Built:            Wed Jun  5 01:52:18 2019
  OS/Arch:          windows/amd64
  Experimental:     true

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 14
  Running: 0
  Paused: 0
  Stopped: 14
 Images: 29
 Server Version: 19.03.0-rc2
 Storage Driver: windowsfilter (windows) lcow (linux)
  Windows:
  LCOW:
 Logging Driver: json-file
 Plugins:
  Volume: local
  Network: ics l2bridge l2tunnel nat null overlay transparent
  Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
 Swarm: inactive
 Default Isolation: hyperv
 Kernel Version: 10.0 18362 (18362.1.amd64fre.19h1_release.190318-1202)
 Operating System: Windows 10 Pro Version 1903 (OS Build 18362.295)
 OSType: windows
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.855GiB
 Name: DESKTOP-FBM9DTL
 ID: 9d2afb03-6a83-4c67-9a6d-faa36c47bc6a
 Docker Root Dir: C:\ProgramData\Docker
 Debug Mode: true
  File Descriptors: -1
  Goroutines: 55
  System Time: 2019-08-20T16:52:11.5986646+02:00
  EventsListeners: 1
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

Additional environment details (AWS, VirtualBox, physical, etc.):

[thaJeztah]

@stefanscherer @ddebroy ptal

[StefanScherer]

I can reproduce it with Windows Server 2019 mcr.microsoft.com/windows/servercore:1809 image as well. I think this is a behavior in the container and not an issue with Docker engine.

[kosvar]

Wouldn't containeradministrator also have this issue, if it's container behaviour?

[StefanScherer]

I think user ContainerAdministrator is created in a different way than net user /add, so might be member of the LOCAL group.

[kosvar]

LOCAL group is for (from msdn): "Users who log on to terminals locally (physically) connected to the system" I don't think it matters how you create users, but how you log them in (hence why my suspicion was in USER directive in dockerfile)

[thaJeztah]

/cc @jterry75 @jhowardmsft