Windows 2000 Local Area Connection Properties Permissions

Hello everyone,
Is there a way to allow non-administrators / non-power users access to the Local Area Connection Properties page to change IP Addresses?  We require some general users to have this functionality, and do not want to add them to any privileged groups.  Thank you for any assistance.
jmcalisterAsked:
Who is Participating?
 
anil_uConnect With a Mentor Commented:
Yes, the answer is no, the options I see are stated aboev, with run as, dhcp etc..

There is one alternative, which isnt the easiest, you could create your own custom security template by using 'Security Configuration and Analysis' this may be able to help you acheive exactly what you need.

heres some info on it
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9169

0
 
stevenlewisCommented:
a batch file using the runas?
0
 
jmcalisterAuthor Commented:
We are looking more for a policy or file/registry permissions that could be altered to allow non-admins fill control to the  Local Area Connection Properties page.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
anil_uCommented:
Taken from the above link,

"Prohibit access to properties of a LAN connection"

The Prohibit access to properties of a LAN connection setting determines whether users can view and change the properties of a LAN connection. It also determines whether the Local Area Connection Properties dialog box is available to users.

If you enable this setting, users cannot open the Local Area Connection Properties dialog box. If you disable or do not configure this setting, the Local Area Connection Properties dialog box is displayed when users right-click the icon representing a local area connection, and then click Properties. The Properties option is also available on the File menu when users select the connection.

0
 
jmcalisterAuthor Commented:
Thank you for the link, but I believe these policies are only to prohibit Administrators / Power Users from accessing the connection properties, not allowing non priv users.
0
 
anil_uCommented:
Yes your right, apologies for that,
anyways im sure this is possible, will get back to you on this...
0
 
cfairleyCommented:
I know this is not the answer you are looking for, but the feature you are looking for is available in XP.  I really do not think this is possible using W2K.  I even tried changing the permissions in the registry for TCPIP and it did not work.

http://support.microsoft.com/?kbid=297938
0
 
jmcalisterAuthor Commented:
The Network Configuration Operators Group has the exact permissions we are looking for, unfortunetley we are unable to upgrade all of our clients to XP.
0
 
bbaoIT ConsultantCommented:
umm..., try "runas" command. see the follows and try RUNAS /?

How To Enable and Use the "Run As" Command When Running Programs in Windows
http://support.microsoft.com/kb/294676
0
 
jmcalisterAuthor Commented:
This would enable the users to have full admin access to the machine.  We have users that travel to remote sites, and are required to change ip information.  We want them to be able to do this through the Local Area Connection Properties window, and we do not want them to have full admin access to any part of the machine.
0
 
bbaoIT ConsultantCommented:
> We have users that travel to remote sites, and are required to change ip information.

why dont just deploy DHCP at the remote sites?

> This would enable the users to have full admin access to the machine.

how about to include the runas command into a script? i didnt try it, just a thought. hehe
0
 
jmcalisterAuthor Commented:
The remote sites can include customer networks, and the users may be required to connect to various equipment.
0
 
jmcalisterAuthor Commented:
Wouldn't a runas script require a password to an account with administrative access?  If so, then this would be to easily abused.
0
 
bbaoIT ConsultantCommented:
if there are not too many (<10) sites your users should visit, you may consider to use a multihome + default gateway solution. that is to bind more than one IP to the laptop's ethernet interface, then add more than one default gateway to the adapter with different metric number for different priorities. skipping over the offline gateways is an automatic process without user actions, so it wont need admin rights.
0
 
jmcalisterAuthor Commented:
There are about 11,000 customer sites.  Basically we are looking to have the user be able to change the ip setings through the interface, so they don't need to learn anything new and we don't comprimise security.
0
 
bbaoIT ConsultantCommented:
if you dont compromise security at all (why?), then the answer should be NO, because it is a by default feature of windows NT/2K/XP/2K3.

if you have no sensitive information stored on the laptops (because the laptops are used at more than 11K sites), only do want the users keep a workable copy of windows system with pre-configured applications, you may consider to make a standard PC and clone it for backup and restore. so your laptop users can change their network settings as they like, wont need to worry about system reinstallation. hehe.
0
 
jmcalisterAuthor Commented:
Thank you for your assistance and suggestions bbao, but we would lke to be able to modify existing security policies and allow specific users to accomplish this task.  Are there any registry keys, dlls, exe's, that we could modify permissions on?  We have attempted to do this with all TCPIP instances in the registry with no success.
0
All Courses

From novice to tech pro — start learning today.