Network Adaptor Access Windows 7

I am setting up some laptops here as stand alone machines with an admin account and multiple user accounts on windows 7. I have applied a microsoft baseline SSLF  GPO and have setup some non administraotr policies in a mmc snap on for non admin users. I am now trying to determine why administrators can access and change network adaptor settings and users cannot, I have tried to look at the settings in both but nothing is staring out at me.

When I change a user to admin rights they can edit the network adaptor settings, but when I change them back they can no longer change network adaptors settings. This is not my area of expertise, and any help would be appreciated.

thanks
Chris345Asked:
Who is Participating?
 
ee_autoCommented:
Question PAQ'd and stored in the solution database.
0
 
Pro_Commented:
Different levels explained http://www.wizcrafts.net/ans/privileges.html

You will need to add in privillages to either local security policies or via domain GPO's to enable standard users to make changes to NIC cards etc. Best practice would be to leave as it is though and if an admin needs to make changes right click whilst holding shift on control panel icon and "run as" admin instead.

Hope this helps!
0
 
Iain MacMillanIT Regional Manager - UKCommented:
this is by design, user are not normally supposed to be able to tamper with device settings.

is there a need for them to do so??
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Chris345Author Commented:
Yes I need to let the users be able to change network adaptor settings, ie change ip addresses etc when needed, but other functions would be locked down, I'm basically trying to figure out what feature in the Windows 7 SSLF GPO controls this, as users can change network settings when I restore the GPO to default
0
 
RootsManCommented:
Are you not running a DHCP server on your network?
0
 
Iain MacMillanIT Regional Manager - UKCommented:
i'm not certain you can only 'unlock' the NIC settings and lock everything else down, you would usually require local admin rights as a minimum to touch device settings.

if they are stand-alone devices, why do they need to be changing the IP??  Just trying to understand your setup/remit.
0
 
Chris345Author Commented:
The pcs will be used for troubleshooting, they have two nics, so the person using the device will need to be able to manually enter network ip addresses each time they use the device in a different location. These will not be normal user machines. They will not be getting their address from the network either.
0
 
Chris345Author Commented:
I have been advised a possible way around this is to Set everyone as an administrator. Keep the default admin account  unrestricted, and then drill down the Local Policies in the GPO down to hardened specs.  

Then copy this local setting over to be setup as a default baseline for all new admin accounts.

Is this possible or are there any over advisable courses of action?

thanks


0
 
Iain MacMillanIT Regional Manager - UKCommented:
i would agree giving them local admin rights so they can make the changes required, not really much else they can do except on the local systems, apart from installing software and updating drivers.

you might have issues copying the settings, as you can no longer copy/clone profile like you could under XP.
0
 
Pro_Commented:
No organisations I worked within have allowed users to be in the local admin group on a machine. See http://www.petri.co.il/removing-end-users-from-the-local-administrators-group.htm - this is an example of the risks involved. The only solutions that I can think of would be to use an excrypted "runas" on the network control panel .cpl file or to add them to the "network configuration operators group" i.e. http://support.microsoft.com/kb/297938
0
 
Chris345Author Commented:
Hi Pro

I do see what you are saying having everyone in the local admin group even if all other users are locked down in the Admin group it would cause issues, ie with write permissions etc.

Has anyone tried the RunasGui program and how has it worked for them?

I am still trying to track down the issue with the GPO. As it is still locking a user out when the GPO is active
0
 
Pro_Commented:
You can use gpresult from a command line to see what policies are being applied to a user. You can also user group policy modelling from GPMC.

Did you try adding the user to the "network operators group"?

If you are going to use a "runas" untility for an end user to use it really needs to be encrypted so that they can't get administrator password. A good site to get things moving for you http://4sysops.com/archives/run-a-program-with-administrator-rights-runasspc-cpau-and-steel-run-as-compared/. I have used runaspc in a corporate environment before to run a .cpl file from control panel to allow users access to settings.
0
 
Chris345Author Commented:
I did try the network operators group, and it still elevated to asking for the admin password, I will have a look at the link you provided, as it appears this may be one of the few ways for me to get pass this problem.

I don't appear to have gpmc on the laptop, and it does not appear as one of the features I
 can turn on and off in windows features? I take it only comes with 2008 Server or windows 7 ultimate?

thanks
0
 
Pro_Commented:
Chris

As you set a baseline on the laptops you may want to check local policy i.e. http://support.microsoft.com/kb/307882. As you are on Win7 see this link for getting the right tools sorted: http://www.youtube.com/watch?v=UsYkbLzVsM8.

If you have no joy changing the local policy (which you can save as a new template) you can try the encrypted runas. If anything its good experience to play around with as many organisations are so locked down these days that you need it!

Let us know how you get on.

Cheers

0
 
Chris345Author Commented:
I am now having a look at the following software
http://www.wingnutsoftware.com/

This is an encrypted version of RunAs. Now is anyone able to tell me how the network adaptor runs? Is it a process or a service / task? I am really after the command line I will need to put in, in order to get this to run. In my situation the laptop wil be running two nics.

Any further help with this would be great, and I appreciate the help so far.
0
 
johnb6767Commented:
You would have to use the Netsh command for command line NIC changes, like IP/Subnet mask etc......

Why not make them Users AND members of the "Network Configuration Operators" local group on the pc's?

A Description of the Network Configuration Operators Group
http://support.microsoft.com/kb/297938

0
 
johnb6767Commented:
Sorry, you did that earlier. Youd have to disable UAC to get past that.......
0
 
Chris345Author Commented:
It looks like I may have sorted this out, it looks like NetSetMan enables a normal user to change network settings as required, it is installed as a service in services.msc if you so need it. Thereby bypassing the issue
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.