Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3669
  • Last Modified:

NetSh and Admin rights

Hello
I have a few users who travel and visit different offices. We have a VPN setup for all offices. I have created batch files (using Netsh utility) for them to swtich between different network settings (that is IP address, gateway etc). I can run these batch files with adminstrative rights but not as users or even power users rights. We dont use DHCP.  I dont want to use any third party software utility for this purpose.  How can I use the Netsh command without giving local admin rights to the users?
0
nazirahmed
Asked:
nazirahmed
  • 16
  • 9
1 Solution
 
nazirahmedAuthor Commented:
Extremely sorry, i was in hurry. I would be gratefull for you guys help. Thanks in advance
Naz
0
 
bbaoIT ConsultantCommented:
hi, personally i think i have similar requirements as yours but i dont use netsh to change the setting for different IPs, gateways. as you mentioned, it needs adminstrator rights because it changes the network configuration and the procedures are complex.

my solution is simple. in a few words, that is multihome ip addresses for the host, which includes all the ip addressess need for all the offices. every time when you visit one of them, just change the default gateway for the office by using "route add" command. you know the route command can be issued by common users, without adminstrator rights.

ok, lets talk it in detail. for example if you have 3 offices with 3 ip assignments:
1: 1.1.1.1 default gateway 1.1.1.100
2: 2.2.2.2 default gateway 2.2.2.100
3: 3.3.3.3 default gateway 3.3.3.100

setup all the ip addresses on the notebook that, make the default gatway is that which office  he/she visit most often. ok, when you visit other office, just execute the following command by manually typing or batch file:

route add 0.0.0.0 mask 0.0.0.0 x.x.x.100

thats ok!

hope it helps,
bbao
0
 
nazirahmedAuthor Commented:
Hello there
thats my question....is there anyway to do that without giving admin rights....????? :) i will try the solution you gave.
take care

0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
nazirahmedAuthor Commented:
hello again
dont you think it will slow down the network communication for the machine having mulipal IPs and defualt gateways?
0
 
bbaoIT ConsultantCommented:
1. it definitely does not need administrator rights.
2. it does not slow down the neteork communication, because the ip routing is based on local route table, the default gateway is the first iterm wich includes the ip address of next stop. so, take it easy.
3. i use it every day. :-)
0
 
nazirahmedAuthor Commented:
i m talking about the admin rights for Netsh utility, if there is anyway to run that command without admin rights, plz anyone let me know. thanks bbao
0
 
bbaoIT ConsultantCommented:
your purpose of using netsh is to switch ip addresses and gateway, which has been accomplished by my solution without netsh, also without the necessary of adminstrator rights.

you know, as a principle of network administration, use lower rights as possible as you can. network configuration is at system level, so changing ip address must need supervisor permissions, no way to pass around it, else window nt/2k/xp would not be a c2-level system.

what you want, should be, to switch ip, not to change ip, to pass around the permission issue.

anyway, if you still want to find a command to swtich to supervisor rights from a normal user rights, that is su.exe, a command of w2k resource kit, not a part of original w2k. again, i would not suggest it, for better security.

hope it helps,
bbao
0
 
nazirahmedAuthor Commented:
ok i will check on monday and will get back to u. take care
0
 
nazirahmedAuthor Commented:
Sorry for the delay, i did not had time to fully test it, but i have a feeling that i should work. thanks for the help, much appreciated.
0
 
bbaoIT ConsultantCommented:
sure, thanks for your points, if you have any further problems, just let me know.
0
 
nazirahmedAuthor Commented:
bbao
sorry to tell you but today i had the chance to actually work on the solution and it didnt work!
0
 
bbaoIT ConsultantCommented:
o? please post your "ipconfig /all" and "route print" results and tell me why you think it didnt work as what you wanted.
0
 
nazirahmedAuthor Commented:
ok i will do it tomorrow as the lap top wasnt with me..the user called me from 200 miles. so laptop will be back tomorrow.
0
 
nazirahmedAuthor Commented:
Bbao
i am sitting with lap top, i made changes for different iPs, here is the route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 06 5b d9 00 bc ...... 3Com EtherLink PCI
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.67.0.1     10.67.2.136       1
        10.67.0.0    255.255.192.0      10.67.2.136     10.67.2.136       1
      10.67.2.136  255.255.255.255        127.0.0.1       127.0.0.1       1
      10.67.128.0    255.255.192.0    10.67.129.227     10.67.2.136       1
    10.67.129.227  255.255.255.255        127.0.0.1       127.0.0.1       1
   10.255.255.255  255.255.255.255      10.67.2.136     10.67.2.136       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        224.0.0.0      10.67.2.136     10.67.2.136       1
  255.255.255.255  255.255.255.255      10.67.2.136     10.67.2.136       1
Default Gateway:         10.67.0.1
===========================================================================
Persistent Routes:
  None
as you can see, the network 10.67.129.227 netmask 255.255.255.255 is going to gatway 127.0.0.1 from itnerface 127.0.0.1
0
 
nazirahmedAuthor Commented:
sorry mistakenly pressed enter.
10.67.128.0    255.255.192.0    10.67.129.227     10.67.2.136       1
that one is the remote network user wen to few weeks ago and couldnt connect to it.
any ideas plz
cheers
0
 
bbaoIT ConsultantCommented:
nazirahmed, please post the "ipconfig /all" result to here. you know, my solution is based on multihome, you should configure more one ip addresses, each of them for one office of yours.
0
 
nazirahmedAuthor Commented:
yes i did added atleast 10 ip addesses to the list, but ipconfig/all is after her visit to the first remote location where it didnt work even she ran a batch file on desktop with rout add command for that specific network.
similarly i created batch files for other offices as well but she hasnt been to other offices yet.

0
 
nazirahmedAuthor Commented:
ok bbao here is the ipconfig/all of the same machine whos route print i posted above.
C:\Documents and Settings\Jenny Yeates.WWREGION>ipconfig/all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : ww01251
        Primary DNS Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
        Physical Address. . . . . . . . . : 00-06-5B-D9-00-BC
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.67.129.227
        Subnet Mask . . . . . . . . . . . : 255.255.192.0
        IP Address. . . . . . . . . . . . : 10.67.2.136
        Subnet Mask . . . . . . . . . . . : 255.255.192.0
        Default Gateway . . . . . . . . . : 10.67.0.1
        DNS Servers . . . . . . . . . . . : 10.0.128.138
                                            10.0.128.142
        Primary WINS Server . . . . . . . : 10.67.0.114
help......
0
 
nazirahmedAuthor Commented:
the user went to a different location yesterday and she tried the route add command, thats why you can see
IP Address. . . . . . . . . . . . : 10.67.129.227
Subnet Mask . . . . . . . . . . . : 255.255.192.0

the ip address for HQ(where we all based) is
IP Address. . . . . . . . . . . . : 10.67.2.136
Subnet Mask . . . . . . . . . . . : 255.255.192.0

0
 
bbaoIT ConsultantCommented:
suppose your ip settings are: (note: the metric numbers are 2)

IP Address 1: 10.67.129.227 mask 255.255.192.0
IP Address 2: 10.67.2.136 mask 255.255.192.0
Gateway 1: 10.67.0.1 metric 2
Gateway 2: 10.67.128.1 metric 2

then use "route add 0.0.0.0 mask 0.0.0.0 10.67.0.1 metric 1" to swith to 10.67.0.0 network,
use "route add 0.0.0.0 mask 0.0.0.0 10.67.128.1 metric 1" to swith to 10.67.128.0 network

to be brief: this solution is based on concept of "multihome + switching routing"
0
 
nazirahmedAuthor Commented:
you mean i should first set them to metric 2 and then use route add 0.0.0.0 mask 0.0.0.0 10.67.0.1 metric 1" to swith to 10.67.0.0 network,
use "route add 0.0.0.0 mask 0.0.0.0 10.67.128.1 metric 1" to swith to 10.67.128.0 network
what difference it will make??
0
 
bbaoIT ConsultantCommented:
otherwise, there will be two default routing exisiting with same metric, may lead confusion. by applying different metric, the prior route selected.
0
 
nazirahmedAuthor Commented:
ok i will try that. thanks
0
 
crarygCommented:
I have a question for you both...I have several mobile users and we have 15 different locations.  Has this theory been tested and does it work without slow down?
0
 
nazirahmedAuthor Commented:
Sorry to say but it didnt work for me. i have to use Netsh while users have admin rights for local machines.
0
 
bbaoIT ConsultantCommented:
nazirahmed, sorry, just noticed that "route add" command can NOT work with the rights of a common domain user, the account i used was the member of administrators but i didnt notice this. why did you say "it didnt work for me"? because of the permission issue? please let me know if i can provide further help for the question. cheers, bbao
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 16
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now