Solved

Network Adaptor Access Windows 7

Posted on 2010-11-07
19
579 Views
Last Modified: 2013-12-04
I am setting up some laptops here as stand alone machines with an admin account and multiple user accounts on windows 7. I have applied a microsoft baseline SSLF  GPO and have setup some non administraotr policies in a mmc snap on for non admin users. I am now trying to determine why administrators can access and change network adaptor settings and users cannot, I have tried to look at the settings in both but nothing is staring out at me.

When I change a user to admin rights they can edit the network adaptor settings, but when I change them back they can no longer change network adaptors settings. This is not my area of expertise, and any help would be appreciated.

thanks
0
Comment
Question by:Chris345
  • 7
  • 4
  • 3
  • +3
19 Comments
 
LVL 4

Expert Comment

by:Pro_
ID: 34081939
Different levels explained http://www.wizcrafts.net/ans/privileges.html

You will need to add in privillages to either local security policies or via domain GPO's to enable standard users to make changes to NIC cards etc. Best practice would be to leave as it is though and if an admin needs to make changes right click whilst holding shift on control panel icon and "run as" admin instead.

Hope this helps!
0
 
LVL 20

Expert Comment

by:Iain MacMillan
ID: 34082597
this is by design, user are not normally supposed to be able to tamper with device settings.

is there a need for them to do so??
0
 

Author Comment

by:Chris345
ID: 34082945
Yes I need to let the users be able to change network adaptor settings, ie change ip addresses etc when needed, but other functions would be locked down, I'm basically trying to figure out what feature in the Windows 7 SSLF GPO controls this, as users can change network settings when I restore the GPO to default
0
 
LVL 6

Expert Comment

by:RootsMan
ID: 34083520
Are you not running a DHCP server on your network?
0
 
LVL 20

Expert Comment

by:Iain MacMillan
ID: 34083609
i'm not certain you can only 'unlock' the NIC settings and lock everything else down, you would usually require local admin rights as a minimum to touch device settings.

if they are stand-alone devices, why do they need to be changing the IP??  Just trying to understand your setup/remit.
0
 

Author Comment

by:Chris345
ID: 34088013
The pcs will be used for troubleshooting, they have two nics, so the person using the device will need to be able to manually enter network ip addresses each time they use the device in a different location. These will not be normal user machines. They will not be getting their address from the network either.
0
 

Author Comment

by:Chris345
ID: 34090539
I have been advised a possible way around this is to Set everyone as an administrator. Keep the default admin account  unrestricted, and then drill down the Local Policies in the GPO down to hardened specs.  

Then copy this local setting over to be setup as a default baseline for all new admin accounts.

Is this possible or are there any over advisable courses of action?

thanks


0
 
LVL 20

Expert Comment

by:Iain MacMillan
ID: 34091287
i would agree giving them local admin rights so they can make the changes required, not really much else they can do except on the local systems, apart from installing software and updating drivers.

you might have issues copying the settings, as you can no longer copy/clone profile like you could under XP.
0
 
LVL 4

Expert Comment

by:Pro_
ID: 34091598
No organisations I worked within have allowed users to be in the local admin group on a machine. See http://www.petri.co.il/removing-end-users-from-the-local-administrators-group.htm - this is an example of the risks involved. The only solutions that I can think of would be to use an excrypted "runas" on the network control panel .cpl file or to add them to the "network configuration operators group" i.e. http://support.microsoft.com/kb/297938
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 

Author Comment

by:Chris345
ID: 34097951
Hi Pro

I do see what you are saying having everyone in the local admin group even if all other users are locked down in the Admin group it would cause issues, ie with write permissions etc.

Has anyone tried the RunasGui program and how has it worked for them?

I am still trying to track down the issue with the GPO. As it is still locking a user out when the GPO is active
0
 
LVL 4

Expert Comment

by:Pro_
ID: 34100362
You can use gpresult from a command line to see what policies are being applied to a user. You can also user group policy modelling from GPMC.

Did you try adding the user to the "network operators group"?

If you are going to use a "runas" untility for an end user to use it really needs to be encrypted so that they can't get administrator password. A good site to get things moving for you http://4sysops.com/archives/run-a-program-with-administrator-rights-runasspc-cpau-and-steel-run-as-compared/. I have used runaspc in a corporate environment before to run a .cpl file from control panel to allow users access to settings.
0
 

Author Comment

by:Chris345
ID: 34100457
I did try the network operators group, and it still elevated to asking for the admin password, I will have a look at the link you provided, as it appears this may be one of the few ways for me to get pass this problem.

I don't appear to have gpmc on the laptop, and it does not appear as one of the features I
 can turn on and off in windows features? I take it only comes with 2008 Server or windows 7 ultimate?

thanks
0
 
LVL 4

Expert Comment

by:Pro_
ID: 34100576
Chris

As you set a baseline on the laptops you may want to check local policy i.e. http://support.microsoft.com/kb/307882. As you are on Win7 see this link for getting the right tools sorted: http://www.youtube.com/watch?v=UsYkbLzVsM8.

If you have no joy changing the local policy (which you can save as a new template) you can try the encrypted runas. If anything its good experience to play around with as many organisations are so locked down these days that you need it!

Let us know how you get on.

Cheers

0
 

Author Comment

by:Chris345
ID: 34108688
I am now having a look at the following software
http://www.wingnutsoftware.com/

This is an encrypted version of RunAs. Now is anyone able to tell me how the network adaptor runs? Is it a process or a service / task? I am really after the command line I will need to put in, in order to get this to run. In my situation the laptop wil be running two nics.

Any further help with this would be great, and I appreciate the help so far.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34129866
You would have to use the Netsh command for command line NIC changes, like IP/Subnet mask etc......

Why not make them Users AND members of the "Network Configuration Operators" local group on the pc's?

A Description of the Network Configuration Operators Group
http://support.microsoft.com/kb/297938

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34129867
Sorry, you did that earlier. Youd have to disable UAC to get past that.......
0
 

Author Comment

by:Chris345
ID: 34133165
It looks like I may have sorted this out, it looks like NetSetMan enables a normal user to change network settings as required, it is installed as a service in services.msc if you so need it. Thereby bypassing the issue
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 34609021
Question PAQ'd and stored in the solution database.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
OfficeMate Freezes on login or does not load after login credentials are input.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now