HilltownHealthCenter
asked on
Allow a non domain admin to run a dos script that changes net interface params.
I have deployed a DOS script that reroutes the network interface in the event of path failure. The script changes the default gateway and the dns server. I want to allow a normal users to run it, but if a non-admin runs it, the "netsh interface ip set" command gives "access denied". How to get around this?
ASKER
OK, so the script looks like this:
netsh interface ip set address name="Local Area Connection" gateway=172.20.2.252 gwmetric=0
How do I write this so that the current user (no admin privileges) can use it? Run as above, it returns "access denied".
netsh interface ip set address name="Local Area Connection" gateway=172.20.2.252 gwmetric=0
How do I write this so that the current user (no admin privileges) can use it? Run as above, it returns "access denied".
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I added the users to "Network Configuration Operators" at the domain level using Active Directory, but it did not allow them to change the local machine. Is there a way to do this without visiting each machine (there are many!).
Run gpupdate across all machines or wait until the GP Object on the machine is refreshed (Next Login) or refresh interval if you have it set. SEE BELOW...
Group Policies can be applied when a computer boots up, and/or when a user logs in. However, policies are also refreshed automatically according to a predefined schedule. This is called Background Refresh.
Policies not affected by background refresh. These policies are only applied at logon time:
Folder Redirection
Software Installation
Logon, Logoff, Startup, Shutdown Scripts
Background refresh for non DCs (PCs and Member Servers) is every 90 mins., with a +/- 30 min.
interval. So the refresh could be 60, 90 or 120 mins. For DCs (Domain Controllers), background refresh is every 5 mins.
Also, every 16 hours every PC will request all group policies to be reapplied (user and machine) These settings can be changed under Computer and User Nodes, Administrative Templates,
System, Group Policy.
Using the command line to refresh policies
Secedit.exe is a command line tool that can be used to refresh group policies on a Windows 2000 computer. To use secedit, open a command prompt and type:
secedit /refreshpolicy user_policy to refresh the user policies
secedit /refreshpolicy machine_policy to refresh the machine (or computer) policies
These parameters will only refresh any user or computer policies that have changed since the last refresh. To force a reload of all group policies regardless of the last change, use:
secedit /refreshpolicy user_policy /enforce
secedit /refreshpolicy machine_policy /enforce
Gpupdate.exe is a command line tool that can be used to refresh group policies on a Windows XP computer. It has replaced the secedit command. To use gpupdate, open a command prompt and
type:
gpupdate /target:user to refresh the user policies
gpupdate /target:machine to refresh the machine (or computer) policies
As with secedit, these parameters will only refresh any user or computer policies that have changed since the last refresh. To force a reload of all group policies regardless of the last change, use:
gpupdate /force
Notice the /force switch applies to both user and computer policies. There is no separation of the two like there is with secedit.
Group Policies can be applied when a computer boots up, and/or when a user logs in. However, policies are also refreshed automatically according to a predefined schedule. This is called Background Refresh.
Policies not affected by background refresh. These policies are only applied at logon time:
Folder Redirection
Software Installation
Logon, Logoff, Startup, Shutdown Scripts
Background refresh for non DCs (PCs and Member Servers) is every 90 mins., with a +/- 30 min.
interval. So the refresh could be 60, 90 or 120 mins. For DCs (Domain Controllers), background refresh is every 5 mins.
Also, every 16 hours every PC will request all group policies to be reapplied (user and machine) These settings can be changed under Computer and User Nodes, Administrative Templates,
System, Group Policy.
Using the command line to refresh policies
Secedit.exe is a command line tool that can be used to refresh group policies on a Windows 2000 computer. To use secedit, open a command prompt and type:
secedit /refreshpolicy user_policy to refresh the user policies
secedit /refreshpolicy machine_policy to refresh the machine (or computer) policies
These parameters will only refresh any user or computer policies that have changed since the last refresh. To force a reload of all group policies regardless of the last change, use:
secedit /refreshpolicy user_policy /enforce
secedit /refreshpolicy machine_policy /enforce
Gpupdate.exe is a command line tool that can be used to refresh group policies on a Windows XP computer. It has replaced the secedit command. To use gpupdate, open a command prompt and
type:
gpupdate /target:user to refresh the user policies
gpupdate /target:machine to refresh the machine (or computer) policies
As with secedit, these parameters will only refresh any user or computer policies that have changed since the last refresh. To force a reload of all group policies regardless of the last change, use:
gpupdate /force
Notice the /force switch applies to both user and computer policies. There is no separation of the two like there is with secedit.
ASKER
Active Directory:
If I add the user to "Domain Admins - Security Group - Global", then when the user logs back in, they can change network settings.
If I add the user to "Network Configuration Operators - Security Group - Domain Local", they are restricted from netsh commands ("access denied").
I am thinking that "Network Configuration Operators - Security Group - Domain Loca"l is not the correct group for this, but there is no "Domain Network Configuration Operators" or similar group. Any thoughts?
If I add the user to "Domain Admins - Security Group - Global", then when the user logs back in, they can change network settings.
If I add the user to "Network Configuration Operators - Security Group - Domain Local", they are restricted from netsh commands ("access denied").
I am thinking that "Network Configuration Operators - Security Group - Domain Loca"l is not the correct group for this, but there is no "Domain Network Configuration Operators" or similar group. Any thoughts?
To use netsh command the user must have local admin rights. I suggest you use the runas command in a script that the user can click on:
The best solution to run an application or script with another credentials
is the tool runasspc.
The tool hides the password and all other informations in an encrypt file. It
is like
runas.exe /user:username@domain /password:password. application.exe
but the informations are encrypt
runasspc.exe /cryptfile:path/encryptfil e
and the application allowed to run will be checked on bit level..
http://www.snapfiles.com/get/runasspc.html
The best solution to run an application or script with another credentials
is the tool runasspc.
The tool hides the password and all other informations in an encrypt file. It
is like
runas.exe /user:username@domain /password:password. application.exe
but the informations are encrypt
runasspc.exe /cryptfile:path/encryptfil
and the application allowed to run will be checked on bit level..
http://www.snapfiles.com/get/runasspc.html
ASKER
The final solution was to add "Domain Users" to each workstation's "Network Configuration Operators" group. Then any user can execute scripts which modify the network interface. The solution posted gave me this idea.
RUNAS [/profile] [/env] [/netonly] /user:<UserName> program
/profile if the user's profile needs to be loaded
/env to use current environment instead of user's.
/netonly use if the credentials specified are for remote access only.
/user <UserName> should be in form USER@DOMAIN or DOMAIN\USER
program command line for EXE. See below for examples