Link to home
Create AccountLog in
Avatar of HilltownHealthCenter
HilltownHealthCenter

asked on

Allow a non domain admin to run a dos script that changes net interface params.

I have deployed a DOS script that reroutes the network interface in the event of path failure. The script changes the default gateway and the dns server.  I want to allow a normal users to run it, but if a non-admin runs it,  the "netsh interface ip set" command gives "access denied". How to get around this?
Avatar of drmweaver
drmweaver

Why not use the runas sequence within you code?  Syntax

RUNAS [/profile] [/env] [/netonly] /user:<UserName> program

/profile if the user's profile needs to be loaded
/env to use current environment instead of user's.  
/netonly use if the credentials specified are for remote access only.  
/user <UserName> should be in form USER@DOMAIN or DOMAIN\USER
program command line for EXE. See below for examples

Avatar of HilltownHealthCenter

ASKER

OK, so the script looks like this:

netsh interface ip set address name="Local Area Connection" gateway=172.20.2.252 gwmetric=0

How do I write this so that the current user (no admin privileges) can use it? Run as above, it returns "access denied".
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I added the users to "Network Configuration Operators" at the domain level using Active Directory, but it did not allow them to change the local machine. Is there a way to do this without visiting each machine (there are many!).
Run gpupdate across all machines or wait until the GP Object on the machine is refreshed (Next Login) or refresh interval if you have it set.  SEE BELOW...

Group Policies can be applied when a computer boots up, and/or when a user logs in. However, policies are also refreshed automatically according to a predefined schedule. This is called Background Refresh.

Policies not affected by background refresh. These policies are only applied at logon time:

Folder Redirection
Software Installation
Logon, Logoff, Startup, Shutdown Scripts

Background refresh for non DCs (PCs and Member Servers) is every 90 mins., with a +/- 30 min.
interval.  So the refresh could be 60, 90 or 120 mins. For DCs (Domain Controllers), background refresh is every 5 mins.
Also, every 16 hours every PC will request all group policies to be reapplied (user and machine) These settings can be changed under Computer and User Nodes, Administrative Templates,
System, Group Policy.

Using the command line to refresh policies

Secedit.exe is a command line tool that can be used to refresh group policies on a Windows 2000 computer.  To use secedit, open a command prompt and type:

secedit /refreshpolicy user_policy  to refresh the user policies
secedit /refreshpolicy machine_policy  to refresh the machine (or computer) policies

These parameters will only refresh any user or computer policies that have changed since the last refresh.  To force a reload of all group policies regardless of the last change, use:

secedit /refreshpolicy user_policy /enforce
secedit /refreshpolicy machine_policy /enforce

Gpupdate.exe is a command line tool that can be used to refresh group policies on a Windows XP computer.  It has replaced the secedit command.  To use gpupdate, open a command prompt and
type:

gpupdate /target:user  to refresh the user policies
gpupdate /target:machine  to refresh the machine (or computer) policies

As with secedit, these parameters will only refresh any user or computer policies that have changed since the last refresh.  To force a reload of all group policies regardless of the last change, use:

gpupdate /force

Notice the /force switch applies to both user and computer policies.  There is no separation of the two like there is with secedit.

Active Directory:

If I add the user to "Domain Admins - Security Group - Global", then when the user logs back in, they can change network settings.

If I add the user to "Network Configuration Operators - Security Group - Domain Local", they are restricted from netsh commands ("access denied").

I am thinking that "Network Configuration Operators - Security Group - Domain Loca"l is not the correct group for this, but there is no "Domain Network Configuration Operators" or similar group. Any thoughts?
To use netsh command the user must have local admin rights. I suggest you use the runas command in a script that the user can click on:

The best solution to run an application or script with another credentials  
 
is the tool runasspc.  
 
The tool hides the password and all other informations in an encrypt file. It  
 
is like  
 
runas.exe  /user:username@domain /password:password. application.exe  
 
but the informations are encrypt  
 
runasspc.exe /cryptfile:path/encryptfile  
 
and the application allowed to run will be checked on bit level..

http://www.snapfiles.com/get/runasspc.html



The final solution was to add "Domain Users" to each workstation's "Network Configuration Operators" group. Then any user can execute scripts which modify the network interface. The solution posted gave me this idea.