Chris345
asked on
Network Adaptor Access Windows 7
I am setting up some laptops here as stand alone machines with an admin account and multiple user accounts on windows 7. I have applied a microsoft baseline SSLF GPO and have setup some non administraotr policies in a mmc snap on for non admin users. I am now trying to determine why administrators can access and change network adaptor settings and users cannot, I have tried to look at the settings in both but nothing is staring out at me.
When I change a user to admin rights they can edit the network adaptor settings, but when I change them back they can no longer change network adaptors settings. This is not my area of expertise, and any help would be appreciated.
thanks
When I change a user to admin rights they can edit the network adaptor settings, but when I change them back they can no longer change network adaptors settings. This is not my area of expertise, and any help would be appreciated.
thanks
this is by design, user are not normally supposed to be able to tamper with device settings.
is there a need for them to do so??
is there a need for them to do so??
ASKER
Yes I need to let the users be able to change network adaptor settings, ie change ip addresses etc when needed, but other functions would be locked down, I'm basically trying to figure out what feature in the Windows 7 SSLF GPO controls this, as users can change network settings when I restore the GPO to default
Are you not running a DHCP server on your network?
i'm not certain you can only 'unlock' the NIC settings and lock everything else down, you would usually require local admin rights as a minimum to touch device settings.
if they are stand-alone devices, why do they need to be changing the IP?? Just trying to understand your setup/remit.
if they are stand-alone devices, why do they need to be changing the IP?? Just trying to understand your setup/remit.
ASKER
The pcs will be used for troubleshooting, they have two nics, so the person using the device will need to be able to manually enter network ip addresses each time they use the device in a different location. These will not be normal user machines. They will not be getting their address from the network either.
ASKER
I have been advised a possible way around this is to Set everyone as an administrator. Keep the default admin account unrestricted, and then drill down the Local Policies in the GPO down to hardened specs.
Then copy this local setting over to be setup as a default baseline for all new admin accounts.
Is this possible or are there any over advisable courses of action?
thanks
Then copy this local setting over to be setup as a default baseline for all new admin accounts.
Is this possible or are there any over advisable courses of action?
thanks
i would agree giving them local admin rights so they can make the changes required, not really much else they can do except on the local systems, apart from installing software and updating drivers.
you might have issues copying the settings, as you can no longer copy/clone profile like you could under XP.
you might have issues copying the settings, as you can no longer copy/clone profile like you could under XP.
No organisations I worked within have allowed users to be in the local admin group on a machine. See http://www.petri.co.il/removing-end-users-from-the-local-administrators-group.htm - this is an example of the risks involved. The only solutions that I can think of would be to use an excrypted "runas" on the network control panel .cpl file or to add them to the "network configuration operators group" i.e. http://support.microsoft.com/kb/297938
ASKER
Hi Pro
I do see what you are saying having everyone in the local admin group even if all other users are locked down in the Admin group it would cause issues, ie with write permissions etc.
Has anyone tried the RunasGui program and how has it worked for them?
I am still trying to track down the issue with the GPO. As it is still locking a user out when the GPO is active
I do see what you are saying having everyone in the local admin group even if all other users are locked down in the Admin group it would cause issues, ie with write permissions etc.
Has anyone tried the RunasGui program and how has it worked for them?
I am still trying to track down the issue with the GPO. As it is still locking a user out when the GPO is active
You can use gpresult from a command line to see what policies are being applied to a user. You can also user group policy modelling from GPMC.
Did you try adding the user to the "network operators group"?
If you are going to use a "runas" untility for an end user to use it really needs to be encrypted so that they can't get administrator password. A good site to get things moving for you http://4sysops.com/archives/run-a-program-with-administrator-rights-runasspc-cpau-and-steel-run-as-compared/. I have used runaspc in a corporate environment before to run a .cpl file from control panel to allow users access to settings.
Did you try adding the user to the "network operators group"?
If you are going to use a "runas" untility for an end user to use it really needs to be encrypted so that they can't get administrator password. A good site to get things moving for you http://4sysops.com/archives/run-a-program-with-administrator-rights-runasspc-cpau-and-steel-run-as-compared/. I have used runaspc in a corporate environment before to run a .cpl file from control panel to allow users access to settings.
ASKER
I did try the network operators group, and it still elevated to asking for the admin password, I will have a look at the link you provided, as it appears this may be one of the few ways for me to get pass this problem.
I don't appear to have gpmc on the laptop, and it does not appear as one of the features I
can turn on and off in windows features? I take it only comes with 2008 Server or windows 7 ultimate?
thanks
I don't appear to have gpmc on the laptop, and it does not appear as one of the features I
can turn on and off in windows features? I take it only comes with 2008 Server or windows 7 ultimate?
thanks
Chris
As you set a baseline on the laptops you may want to check local policy i.e. http://support.microsoft.com/kb/307882. As you are on Win7 see this link for getting the right tools sorted: http://www.youtube.com/watch?v=UsYkbLzVsM8.
If you have no joy changing the local policy (which you can save as a new template) you can try the encrypted runas. If anything its good experience to play around with as many organisations are so locked down these days that you need it!
Let us know how you get on.
Cheers
As you set a baseline on the laptops you may want to check local policy i.e. http://support.microsoft.com/kb/307882. As you are on Win7 see this link for getting the right tools sorted: http://www.youtube.com/watch?v=UsYkbLzVsM8.
If you have no joy changing the local policy (which you can save as a new template) you can try the encrypted runas. If anything its good experience to play around with as many organisations are so locked down these days that you need it!
Let us know how you get on.
Cheers
ASKER
I am now having a look at the following software
http://www.wingnutsoftware.com/
This is an encrypted version of RunAs. Now is anyone able to tell me how the network adaptor runs? Is it a process or a service / task? I am really after the command line I will need to put in, in order to get this to run. In my situation the laptop wil be running two nics.
Any further help with this would be great, and I appreciate the help so far.
http://www.wingnutsoftware.com/
This is an encrypted version of RunAs. Now is anyone able to tell me how the network adaptor runs? Is it a process or a service / task? I am really after the command line I will need to put in, in order to get this to run. In my situation the laptop wil be running two nics.
Any further help with this would be great, and I appreciate the help so far.
You would have to use the Netsh command for command line NIC changes, like IP/Subnet mask etc......
Why not make them Users AND members of the "Network Configuration Operators" local group on the pc's?
A Description of the Network Configuration Operators Group
http://support.microsoft.com/kb/297938
Why not make them Users AND members of the "Network Configuration Operators" local group on the pc's?
A Description of the Network Configuration Operators Group
http://support.microsoft.com/kb/297938
Sorry, you did that earlier. Youd have to disable UAC to get past that.......
ASKER
It looks like I may have sorted this out, it looks like NetSetMan enables a normal user to change network settings as required, it is installed as a service in services.msc if you so need it. Thereby bypassing the issue
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
You will need to add in privillages to either local security policies or via domain GPO's to enable standard users to make changes to NIC cards etc. Best practice would be to leave as it is though and if an admin needs to make changes right click whilst holding shift on control panel icon and "run as" admin instead.
Hope this helps!