Allowing USERS to change TCP/IP Settings in 2000 Pro

Yes, you can use an Administrative Template, Under Network you choose Network and Dial-Up Connections, I'm going to set up a domain right now to test out exactly what setting you need to modify and then what it will look like so i'll be posting in about an hour or so, i want to test it first to make sure it works right.
Also you might want to give me a little more info so i can best tell you how to distribute it.
If these computers can all be placed into their own OU it can be set as a group policy, otherwise you'll need to apply the template using the Security/Administrative Template tool.
Be back in a few

Is this a Domain? Is this an Active Directory(2000 or above) domain? Are the computers in a P2P configuration?

Sorry.......We currently have an NT 4.0 domain. We use DHCP locally and the users need to be able to change that if possible.

ok... (wipes out AD domain and puts in NT4 CD)
sheesh
hehe
okey gimme a little bit.
still though
Administrative Templates work for NT, also, since they are just modifications of registry settings =)

Thank you very much...sorry about the confusion. I am looking just to make changes on the local machine. I hope that helps.

are the clients NT also?

The clients I am trying to work with are 2000 Professional sp3.

we used this to change 2k and 9x machines to dhcp, but had to be logon on as some sort of admin








Dim WSHShell, OSVer, Path, NList, N, IPAddress, IPMask, IPValue, RegLoc, DefGWValue, NameServer1, NameServer2, NameServer3, DNSNameServer, RegLoc2, CompName, DNSCompName, objShell, ScriptKey, ScriptKeyValue, OpSysSet
Set WSHShell = WScript.CreateObject("WScript.Shell")
OSVer = " "

On Error Resume Next

ScriptKey = "HKLM\Script"      
ScriptKeyValue = WSHShell.RegRead(ScriptKey)      
      
'If (ScriptKeyValue <> "") then
'  WScript.Echo "DHCP Configuration Already Set by Script"
'  WScript.Quit
'End If

On Error Resume Next

'**************************** WINDOWS 9X ********************************************

Path = "HKLM\Software\Microsoft\Windows\CurrentVersion\ProductName"
OSVer = WSHShell.RegRead(Path)
      
If (OSVer = "Microsoft Windows 98") or (OSVer = "Microsoft Windows 95") then

      'WScript.Echo "Configuring DHCP for " & OSVer
      
'*************************************************************************************
'********* Script to change Win9x machines from static IP Address to DHCP ************
'************************ The script will only run once ******************************
'************************ Tim Hudson - v1.0 - 06.06.2002******************************
'*************************************************************************************

      NList = array("0000","0001","0002","0003","0004","0005","0006","0007","0008","0009","0010")

      RegLoc = "HKLM\System\CurrentControlSet\Services\Class\NetTrans\"

      For Each N In NList
        IPValue = ""      'Resets variable
        IPAddress = RegLoc & N & "\IPAddress"
        IPMask = RegLoc & N & "\IPMask"
        IPValue = WSHShell.RegRead(IPAddress)
        If (IPValue <> "") and (IPValue <> "0.0.0.0") then
          WSHShell.RegWrite IPAddress,"0.0.0.0"
          WSHShell.RegWrite IPMASK,"0.0.0.0"
        End If

        DefGWValue = ""    'Resets variable
        DefaultGateway = RegLoc & N & "\DefaultGateway"
        'WSHShell.RegDelete DefaultGateway

        'This section is used to delete up to 3 listed WINS servers.
        NameServer1 = ""            'Resets variable
        NameServer2 = ""
        NameServer3 = ""
        NameServer1 = RegLoc & N & "\NameServer1"
        WSHShell.RegDelete NameServer1
        NameServer2 = RegLoc & N & "\NameServer2"
        WSHShell.RegDelete NameServer2
        NameServer3 = RegLoc & N & "\NameServer3"
        WSHShell.RegDelete NameServer3
      Next

      On Error Resume Next

      RegLoc2 = "HKLM\System\CurrentControlSet\Services\VxD\MSTCP\"

      DNSNameServer = RegLoc2 & "\NameServer"
      WSHShell.RegWrite DNSNameServer, ""

      'Change the workgroup to NA.
      WSHShell.RegWrite "HKLM\System\CurrentControlSet\Services\VxD\VNETSUP\WorkGroup", "NA"

      'Change the logon domain to NA
      WSHShell.RegWrite "HKLM\System\CurrentControlSet\Services\MSNP32\NetworkProvider\AuthenticatingAgent", "NA"

      'Set the Domain Suffix Search Order
      WSHShell.RegWrite "HKLM\System\CurrentControlSet\Services\VxD\MSTCP\SearchList", ""

      'Set hostname same as Computer name.
      CompName = "HKLM\System\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName"
      CompName = WSHShell.RegRead(CompName)
      DNSCompName = (CompName)
      WSHShell.RegWrite "HKLM\System\CurrentControlSet\Services\VxD\MSTCP\EnableDNS", "1"
      WSHShell.RegWrite "HKLM\System\CurrentControlSet\Services\VxD\MSTCP\HostName", DNSCompName

      'Change the DNS domain to na.sysco.net
      WSHShell.RegWrite "HKLM\System\CurrentControlSet\Services\VxD\MSTCP\Domain", "na.sysco.net"
      WSHShell.RegWrite "HKLM\Script", ("The W2K Script completed on " & Date & " at " & Time)

      wshShell.Run ("runonce.exe -q")
      WScript.Quit


Else

'******************************************** WINDOWS 2000 *******************************************
  'Wscript.Echo "2K Section"

  If (OSVer = " ") Then
    Path = "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProductName"
    OSVer = WSHShell.RegRead(Path)

    If (OSVer = "Microsoft Windows 2000") then

      'WScript.Echo "Configuring DHCP for " &OSVer

      const HKEY_LOCAL_MACHINE = &H80000002
      strComputer = "."

      Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

      strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\"
      oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

      For Each subkey In arrSubKeys
        strvaluename = "ServiceName"
        strKeyPath1 = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\"&Subkey

        oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath1,strvaluename,strvalue

        On Error Resume Next

        strKeyPath2 = "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\"&strvalue

        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution", "1","REG_DWORD"
        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList", ""
        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NV Domain", "na.sysco.net"
        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\"&strkeypath2 &"\EnableDHCP", "1","REG_DWORD"
        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\"&strkeypath2 &"\NameServer", ""
        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\"&strkeypath2 &"\DefaultGateway", ""
        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\"&strkeypath2 &"\DisableDynamicUpdate", "0","REG_DWORD"
        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\"&strkeypath2 &"\EnableAdapterDomainNameRegistration", "0","REG_DWORD"
        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\"&strkeypath2 &"\Domain", ""

        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\EnableLMHOSTS", "0","REG_DWORD"      
        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\\Interfaces\Tcpip_" &strvalue &"\NetbiosOptions", "0","REG_DWORD"      
        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\\Interfaces\Tcpip_" &strvalue &"\NameServerList", ""

        WSHShell.RegWrite "HKEY_LOCAL_MACHINE\Script", ("The W2K Script completed on " & Date & " at " & Time)

'********************************* REBOOT MACHINE **************************************************
'        Set OpSysSet = GetObject("winmgmts:{(Shutdown)}//./root/cimv2").ExecQuery("select * from Win32_OperatingSystem where Primary=true")
'
'        for each OpSys in OpSysSet
'          OpSys.Reboot()
'        Next
      Next
    End if
  End if
End If

WScript.Echo "DHCP Script Finished!"

did any of the suggestions help, please close or respond

Sorry,

None of the suggestions helped. I cannot believe that Microsoft wouldn't have taken this into consideration. I will keep this open for a few days more to see if anything comes of it.

Seth

Keep it open, I might have an idea, but I won't have time to verify that until the weekend, sorry.

A possible solution is to give your users a configuration file to edit and then to use the task scheduler to read and set the new IP configuration.
On your notebooks, create a local account with administrator rights, for example "SrvTaskScheduler".
Put the TCPIP.txt file from below into a folder where your users have write access, create a shortcut to it in the start menu. Create a shortcut to the log file as well.
Create a new subfolder in your Program Files folder, for example "SetIP". Important: Change the NTFS rights on this folder so that only administrators have write access!
Copy the SetIP.cmd file from below into this directory, adjust the configuration file and log file paths, then create a task running under the new account at logon that starts SetIP.cmd.
The script will check if the configuration file has been edited and, if so, will read the new settings and apply them using netsh.exe.
You'll need setx.exe from the Resource Kit (or from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setx-o.asp) some place in the path.
In the future, the user can logon, edit the file, logoff, then logon again, and should have network connection. (If he needs a domain logon, though, he might have to logon a third time, since the network will only be available after his second logon.)
This is a rather crude but working solution. Try if it works for you, come back if you have additional questions or need some improvements.

====8<----[SetIP.cmd]----
@echo off
setlocal

:: *** Path and name of the configuration and log files:
set SetFile=<SomePath>\TCPIP.txt
set LogFile=<SomePath>\TCPIP.log

(echo %Date% %Time%: Checking TCP/IP settings)>"%LogFile%"
:: *** Check if the settings file has been edited:
for /f "tokens=*" %%a in ('dir /b "%SetFile%" 2^>NUL') do set FileName=%%a
for /f "tokens=1,2" %%a in ('dir "%SetFile%" 2^>NUL ^| find /i "%FileName%"') do set FileDate=%%a %%b
if not "%FileDate%"=="%TCPIPFileDate%" goto ChangeSettings
(echo Settings file unchanged.)>>"%LogFile%"
goto leave

:: ********************************************************************************
:: *** Settings file has been edited
:ChangeSettings
:: *** Update the environment variable with the file date:
setx.exe TCPIPFileDate "%FileDate%" -m
for /f "eol=# tokens=2 delims==" %%a in ('type "%SetFile%" ^| find /i "Interface"') do set Interface=%%a
:: *** Has DHCP been enabled?
for /f "eol=# tokens=2 delims==" %%a in ('type "%SetFile%" ^| find /i "DisableDHCP"') do set DisableDHCP=%%a
if "%DisableDHCP%"=="0" goto EnableDHCP

:: ********************************************************************************
:: *** Set a static IP
for /f "eol=# tokens=2 delims==" %%a in ('type "%SetFile%" ^| find /i "IPAddress"') do set IPAddress=%%a
for /f "eol=# tokens=2 delims==" %%a in ('type "%SetFile%" ^| find /i "SubnetMask"') do set SubnetMask=%%a
for /f "eol=# tokens=2 delims==" %%a in ('type "%SetFile%" ^| find /i "DefaultGateway"') do set DefaultGateway=%%a
for /f "eol=# tokens=2 delims==" %%a in ('type "%SetFile%" ^| find /i "DNSServer"') do set DNSServer=%%a
for /f "eol=# tokens=2 delims==" %%a in ('type "%SetFile%" ^| find /i "DNSRegister"') do set DNSRegister=%%a
for /f "eol=# tokens=2 delims==" %%a in ('type "%SetFile%" ^| find /i "WINSServer"') do set WINSServer=%%a
set GWMetric=1
if /i "%DefaultGateway%"=="none" set GWMetric=
(echo Executing "netsh interface ip set address "%Interface%" static %IPAddress% %SubnetMask% %DefaultGateway% %GWMetric%" ...)>>"%LogFile%"
netsh interface ip set address "%Interface%" static %IPAddress% %SubnetMask% %DefaultGateway% %GWMetric% >>"%LogFile%"
(echo Executing "netsh interface ip set dns "%Interface%" static %DNSServer% %DNSRegister%" ...)>>"%LogFile%"
netsh interface ip set dns "%Interface%" static %DNSServer% %DNSRegister% >>"%LogFile%"
(echo Executing "netsh interface ip set wins "%Interface%" static %WINSServer%" ...)>>"%LogFile%"
netsh interface ip set wins "%Interface%" static %WINSServer% >>"%LogFile%"
goto IPConfig

:: ********************************************************************************
:EnableDHCP
(echo Executing "netsh interface ip set address "%Interface%" dhcp" ...)>>"%LogFile%"
netsh interface ip set address "%Interface%" dhcp >>"%LogFile%"
(echo Executing "netsh interface ip set dns "%Interface%" dhcp" ...)>>"%LogFile%"
netsh interface ip set dns "%Interface%" dhcp >>"%LogFile%"
(echo Executing "netsh interface ip set wins "%Interface%" dhcp" ...)>>"%LogFile%"
netsh interface ip set wins "%Interface%" dhcp >>"%LogFile%"
goto IPConfig

:: ********************************************************************************
:IPConfig
(echo Done.)>>"%LogFile%"

:: ********************************************************************************
:leave
====8<----[SetIP.cmd]----

====8<----[TCPIP.txt]----
# Spaces beginning with # are comments.
# Do not use spaces around the "="!
# Possible settings:

# Interface=Name of the LAN connection
# DisableDHCP=1 | 0

# The following settings are only valid if DHCP is disabled:
# IPAddress=IP address
# SubnetMask=Subnet mask
# DefaultGateway=IP address of Default Gateway
# DNSServer=none | IP address of DNS server
# DNSRegister=(empty) | none | primary | both
# WINSServer=none | IP address of WINS server

Interface=LAN-Verbindung
DisableDHCP=0
IPAddress=192.168.10.200
SubnetMask=255.255.255.0
DefaultGateway=192.168.10.254
DNSServer=192.168.10.254
DNSRegister=none
WINSServer=none
====8<----[TCPIP.txt]----

sethm,
Sorry it took so long for me to get back to you. I was busy with that stupid intellimirror crap. I don't know how to do all of the stuff mentioned above but this will fix what you are trying to accomplish as far as your original post went...
so anyways, thanks for the info, since you have Windows 2000 Pro machines, the ones the need to be able to change their TCP/IP settings need the following changes implemented.

Log on as an administrator to the Windows 2000 Laptop(s) that you want to change the setting for.
Open the MMC (Start, Run, MMC)
Add a new snap-in for Group Policy(Console, Add/Remove Snap-ins, Click Add..., Choose Group Policy, Click Add, Finish, Close, OK) [it will change the name to local computer policy, this is normal]
Expand the Local Computer Policy
Expand User Configuration
Expand Administrative Templates
Expand Network, Click Network and Dial-up Connections.
This done, about 19 options will show up on the right, starting with Prohibit deletion of RAS connections, and going down the list prohibiting everything networking you can think of =)
what you want to do is allow your users to switch from Static to DHCP, so...
Select Prohibit enabling/disabling a LAN connection Choose Disabled.
Select Prohibit access to properties of a LAN connection Choose Disabled.
Select Prohibit access to perperties of components of a LAN connection Choose Disabled.

With these settings in place users can now modify the TCP/IP setting of Obtain an IP address automatically, or Use the following IP address

I had originally started typing out the instructions to define the security template for this, and then apply that but i figured since it isn't many laptops, this might be easier, if you want the other way let me know and i'll type it all out.

Also in reference to who gets to modify these settings you can set any groups you want, the ones i gave were just a suggestion.
 

Well that works, I think. The problem is that they need to be put in the Administrators group and that still allows them to change domains and install apps. I want to prevent that. Thanks for all of your help. Seth

no with that setting the Won't need to be in the administrators group
that's the nifty part =)
hold on i'll test it really quick.

ah darn,
open mouth insert foot
Okey dokey,
 no problem
Here, start with this
i'll be right back with the rest of the settings:
since you have Windows 2000 Pro machines, the ones the need to be able to change their TCP/IP settings need the following change implemented, a security template that defines Authenticated Users can modify TCP/IP settings, or in other words, Network Configurations.
To perform this complete the following tasks:
Open the MMC (Start, Run, MMC)
Add a new snap-in for Security Templates (Console, Add/Remove Snap-ins, Click Add..., Choose Security Templates, Click Add, Close, OK)
Expand Security Templates and C:\Winnt\Security\Templates, by clicking the plus sign next to them
Right Click on setup security, (the default out of the box security settings). Choose Save As...
Name it AllowNetChange (or whatever cool name you like)
Expand it's properties so that you can see System Services in the left hand side of the console, Select it.
When you do on the right a list of services will appear, the first being alerter, then so on and so forth.
You want to double click on Network Connections.
When it opens you want to click Define This Policy setting in the Template.
    Choose Automatic for service startup mode.
         Click Edit Security...
            Click Add... Choose to add the following groups, Administrators, Domain Admins, Authenticated Users.
 Under each of these, choose Full Control.
            Remove the Everyone Group if you wish, (I do) ***But do NOT DENY the Everyone group. actually click them and choose remove. Otherwise this will be very bad.

         Now Click Apply, Ok, Ok.
The policy is defined.
Right Click on that policy, (Whatever you named it) and choose Save.
Now we need to get it imported on the Windows 2000 Laptops that will be traveling around the globe =).

To do this you can either share it on the network, and access it through the network to import it, or you can put it on a floppy and import it.
be right back in a few with the import instructions

hmmn
scratch that.. it seems to not be working
Even though that's what MS says to do
liars

but i'm not giving up

There is not a standard Windows 2000 solution without user Administrator rights to do the trick.

But using NETSH in combination with 3rd party software like:
   - Sanur (http://www.autotone.com/sanur/)
   - Tqcrunas (www.quimeras.com)
should do the trick.

I'm trying to implement it this moment so I don't have possitive results yet.

Wim

There is a nice tool called AutoIT. It can be found at www.hiddensoft.com/AutoIt/. It is a scripting tool which will send the necessary keystrokes (i.e. a password) to any application within windows. I already have got a working concept for changing IP-addresses thru NETSH in combination with the RUNAS command.

The advantage of AutoIT is that it can compile a script to an executable so that the normal users can't read the script to find out what password was used.

The AutoIT package also contains the possiblity to decompile an executable back to a script but you can use a 'passphrase' during compilation to avoid clever users to regain the original script.

To my opnion it is a magnificant tool.

Wim

Is there a way you can send me the script to do that. I am not a programmer or scriptwriter but would like to look at it and try to figure it out.

thanks,
Seth

Hi Seth,

If you want to receive the scripts, please send an e-mail to prodinfo@humancapitalcare.nl with the text 'scripts for netsh' in the subject field

Good luck,
Wim

Wim,

THank you for the scripts. I don't quite understand how it is supposed to work. I guess its basically the Auotmatic with Addit routes. What is that supposed to do?

thanks,
Seth