Solved

NetSh and Admin rights

Posted on 2003-11-21
26
3,385 Views
Last Modified: 2011-10-03
Hello
I have a few users who travel and visit different offices. We have a VPN setup for all offices. I have created batch files (using Netsh utility) for them to swtich between different network settings (that is IP address, gateway etc). I can run these batch files with adminstrative rights but not as users or even power users rights. We dont use DHCP.  I dont want to use any third party software utility for this purpose.  How can I use the Netsh command without giving local admin rights to the users?
0
Comment
Question by:nazirahmed
  • 16
  • 9
26 Comments
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
Extremely sorry, i was in hurry. I would be gratefull for you guys help. Thanks in advance
Naz
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
hi, personally i think i have similar requirements as yours but i dont use netsh to change the setting for different IPs, gateways. as you mentioned, it needs adminstrator rights because it changes the network configuration and the procedures are complex.

my solution is simple. in a few words, that is multihome ip addresses for the host, which includes all the ip addressess need for all the offices. every time when you visit one of them, just change the default gateway for the office by using "route add" command. you know the route command can be issued by common users, without adminstrator rights.

ok, lets talk it in detail. for example if you have 3 offices with 3 ip assignments:
1: 1.1.1.1 default gateway 1.1.1.100
2: 2.2.2.2 default gateway 2.2.2.100
3: 3.3.3.3 default gateway 3.3.3.100

setup all the ip addresses on the notebook that, make the default gatway is that which office  he/she visit most often. ok, when you visit other office, just execute the following command by manually typing or batch file:

route add 0.0.0.0 mask 0.0.0.0 x.x.x.100

thats ok!

hope it helps,
bbao
0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
Hello there
thats my question....is there anyway to do that without giving admin rights....????? :) i will try the solution you gave.
take care

0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
hello again
dont you think it will slow down the network communication for the machine having mulipal IPs and defualt gateways?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
1. it definitely does not need administrator rights.
2. it does not slow down the neteork communication, because the ip routing is based on local route table, the default gateway is the first iterm wich includes the ip address of next stop. so, take it easy.
3. i use it every day. :-)
0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
i m talking about the admin rights for Netsh utility, if there is anyway to run that command without admin rights, plz anyone let me know. thanks bbao
0
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 250 total points
Comment Utility
your purpose of using netsh is to switch ip addresses and gateway, which has been accomplished by my solution without netsh, also without the necessary of adminstrator rights.

you know, as a principle of network administration, use lower rights as possible as you can. network configuration is at system level, so changing ip address must need supervisor permissions, no way to pass around it, else window nt/2k/xp would not be a c2-level system.

what you want, should be, to switch ip, not to change ip, to pass around the permission issue.

anyway, if you still want to find a command to swtich to supervisor rights from a normal user rights, that is su.exe, a command of w2k resource kit, not a part of original w2k. again, i would not suggest it, for better security.

hope it helps,
bbao
0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
ok i will check on monday and will get back to u. take care
0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
Sorry for the delay, i did not had time to fully test it, but i have a feeling that i should work. thanks for the help, much appreciated.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
sure, thanks for your points, if you have any further problems, just let me know.
0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
bbao
sorry to tell you but today i had the chance to actually work on the solution and it didnt work!
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
o? please post your "ipconfig /all" and "route print" results and tell me why you think it didnt work as what you wanted.
0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
ok i will do it tomorrow as the lap top wasnt with me..the user called me from 200 miles. so laptop will be back tomorrow.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
Bbao
i am sitting with lap top, i made changes for different iPs, here is the route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 06 5b d9 00 bc ...... 3Com EtherLink PCI
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.67.0.1     10.67.2.136       1
        10.67.0.0    255.255.192.0      10.67.2.136     10.67.2.136       1
      10.67.2.136  255.255.255.255        127.0.0.1       127.0.0.1       1
      10.67.128.0    255.255.192.0    10.67.129.227     10.67.2.136       1
    10.67.129.227  255.255.255.255        127.0.0.1       127.0.0.1       1
   10.255.255.255  255.255.255.255      10.67.2.136     10.67.2.136       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        224.0.0.0      10.67.2.136     10.67.2.136       1
  255.255.255.255  255.255.255.255      10.67.2.136     10.67.2.136       1
Default Gateway:         10.67.0.1
===========================================================================
Persistent Routes:
  None
as you can see, the network 10.67.129.227 netmask 255.255.255.255 is going to gatway 127.0.0.1 from itnerface 127.0.0.1
0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
sorry mistakenly pressed enter.
10.67.128.0    255.255.192.0    10.67.129.227     10.67.2.136       1
that one is the remote network user wen to few weeks ago and couldnt connect to it.
any ideas plz
cheers
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
nazirahmed, please post the "ipconfig /all" result to here. you know, my solution is based on multihome, you should configure more one ip addresses, each of them for one office of yours.
0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
yes i did added atleast 10 ip addesses to the list, but ipconfig/all is after her visit to the first remote location where it didnt work even she ran a batch file on desktop with rout add command for that specific network.
similarly i created batch files for other offices as well but she hasnt been to other offices yet.

0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
ok bbao here is the ipconfig/all of the same machine whos route print i posted above.
C:\Documents and Settings\Jenny Yeates.WWREGION>ipconfig/all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : ww01251
        Primary DNS Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
        Physical Address. . . . . . . . . : 00-06-5B-D9-00-BC
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.67.129.227
        Subnet Mask . . . . . . . . . . . : 255.255.192.0
        IP Address. . . . . . . . . . . . : 10.67.2.136
        Subnet Mask . . . . . . . . . . . : 255.255.192.0
        Default Gateway . . . . . . . . . : 10.67.0.1
        DNS Servers . . . . . . . . . . . : 10.0.128.138
                                            10.0.128.142
        Primary WINS Server . . . . . . . : 10.67.0.114
help......
0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
the user went to a different location yesterday and she tried the route add command, thats why you can see
IP Address. . . . . . . . . . . . : 10.67.129.227
Subnet Mask . . . . . . . . . . . : 255.255.192.0

the ip address for HQ(where we all based) is
IP Address. . . . . . . . . . . . : 10.67.2.136
Subnet Mask . . . . . . . . . . . : 255.255.192.0

0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
suppose your ip settings are: (note: the metric numbers are 2)

IP Address 1: 10.67.129.227 mask 255.255.192.0
IP Address 2: 10.67.2.136 mask 255.255.192.0
Gateway 1: 10.67.0.1 metric 2
Gateway 2: 10.67.128.1 metric 2

then use "route add 0.0.0.0 mask 0.0.0.0 10.67.0.1 metric 1" to swith to 10.67.0.0 network,
use "route add 0.0.0.0 mask 0.0.0.0 10.67.128.1 metric 1" to swith to 10.67.128.0 network

to be brief: this solution is based on concept of "multihome + switching routing"
0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
you mean i should first set them to metric 2 and then use route add 0.0.0.0 mask 0.0.0.0 10.67.0.1 metric 1" to swith to 10.67.0.0 network,
use "route add 0.0.0.0 mask 0.0.0.0 10.67.128.1 metric 1" to swith to 10.67.128.0 network
what difference it will make??
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
otherwise, there will be two default routing exisiting with same metric, may lead confusion. by applying different metric, the prior route selected.
0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
ok i will try that. thanks
0
 

Expert Comment

by:craryg
Comment Utility
I have a question for you both...I have several mobile users and we have 15 different locations.  Has this theory been tested and does it work without slow down?
0
 
LVL 11

Author Comment

by:nazirahmed
Comment Utility
Sorry to say but it didnt work for me. i have to use Netsh while users have admin rights for local machines.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
nazirahmed, sorry, just noticed that "route add" command can NOT work with the rights of a common domain user, the account i used was the member of administrators but i didnt notice this. why did you say "it didnt work for me"? because of the permission issue? please let me know if i can provide further help for the question. cheers, bbao
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

What is IRC? IRC (Internet Relay Chat) is a form of communication between multiple users. It is available freely to anyone with inernet access. IRC is a great way to communicate with others e.g. There is an IRC channel for Ubuntu Linux, which is fo…
Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now