Solved

Network Adaptor Access Windows 7

Posted on 2010-11-07
19
582 Views
Last Modified: 2013-12-04
I am setting up some laptops here as stand alone machines with an admin account and multiple user accounts on windows 7. I have applied a microsoft baseline SSLF  GPO and have setup some non administraotr policies in a mmc snap on for non admin users. I am now trying to determine why administrators can access and change network adaptor settings and users cannot, I have tried to look at the settings in both but nothing is staring out at me.

When I change a user to admin rights they can edit the network adaptor settings, but when I change them back they can no longer change network adaptors settings. This is not my area of expertise, and any help would be appreciated.

thanks
0
Comment
Question by:Chris345
  • 7
  • 4
  • 3
  • +3
19 Comments
 
LVL 4

Expert Comment

by:Pro_
ID: 34081939
Different levels explained http://www.wizcrafts.net/ans/privileges.html

You will need to add in privillages to either local security policies or via domain GPO's to enable standard users to make changes to NIC cards etc. Best practice would be to leave as it is though and if an admin needs to make changes right click whilst holding shift on control panel icon and "run as" admin instead.

Hope this helps!
0
 
LVL 20

Expert Comment

by:Iain MacMillan
ID: 34082597
this is by design, user are not normally supposed to be able to tamper with device settings.

is there a need for them to do so??
0
 

Author Comment

by:Chris345
ID: 34082945
Yes I need to let the users be able to change network adaptor settings, ie change ip addresses etc when needed, but other functions would be locked down, I'm basically trying to figure out what feature in the Windows 7 SSLF GPO controls this, as users can change network settings when I restore the GPO to default
0
 
LVL 6

Expert Comment

by:RootsMan
ID: 34083520
Are you not running a DHCP server on your network?
0
 
LVL 20

Expert Comment

by:Iain MacMillan
ID: 34083609
i'm not certain you can only 'unlock' the NIC settings and lock everything else down, you would usually require local admin rights as a minimum to touch device settings.

if they are stand-alone devices, why do they need to be changing the IP??  Just trying to understand your setup/remit.
0
 

Author Comment

by:Chris345
ID: 34088013
The pcs will be used for troubleshooting, they have two nics, so the person using the device will need to be able to manually enter network ip addresses each time they use the device in a different location. These will not be normal user machines. They will not be getting their address from the network either.
0
 

Author Comment

by:Chris345
ID: 34090539
I have been advised a possible way around this is to Set everyone as an administrator. Keep the default admin account  unrestricted, and then drill down the Local Policies in the GPO down to hardened specs.  

Then copy this local setting over to be setup as a default baseline for all new admin accounts.

Is this possible or are there any over advisable courses of action?

thanks


0
 
LVL 20

Expert Comment

by:Iain MacMillan
ID: 34091287
i would agree giving them local admin rights so they can make the changes required, not really much else they can do except on the local systems, apart from installing software and updating drivers.

you might have issues copying the settings, as you can no longer copy/clone profile like you could under XP.
0
 
LVL 4

Expert Comment

by:Pro_
ID: 34091598
No organisations I worked within have allowed users to be in the local admin group on a machine. See http://www.petri.co.il/removing-end-users-from-the-local-administrators-group.htm - this is an example of the risks involved. The only solutions that I can think of would be to use an excrypted "runas" on the network control panel .cpl file or to add them to the "network configuration operators group" i.e. http://support.microsoft.com/kb/297938
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 

Author Comment

by:Chris345
ID: 34097951
Hi Pro

I do see what you are saying having everyone in the local admin group even if all other users are locked down in the Admin group it would cause issues, ie with write permissions etc.

Has anyone tried the RunasGui program and how has it worked for them?

I am still trying to track down the issue with the GPO. As it is still locking a user out when the GPO is active
0
 
LVL 4

Expert Comment

by:Pro_
ID: 34100362
You can use gpresult from a command line to see what policies are being applied to a user. You can also user group policy modelling from GPMC.

Did you try adding the user to the "network operators group"?

If you are going to use a "runas" untility for an end user to use it really needs to be encrypted so that they can't get administrator password. A good site to get things moving for you http://4sysops.com/archives/run-a-program-with-administrator-rights-runasspc-cpau-and-steel-run-as-compared/. I have used runaspc in a corporate environment before to run a .cpl file from control panel to allow users access to settings.
0
 

Author Comment

by:Chris345
ID: 34100457
I did try the network operators group, and it still elevated to asking for the admin password, I will have a look at the link you provided, as it appears this may be one of the few ways for me to get pass this problem.

I don't appear to have gpmc on the laptop, and it does not appear as one of the features I
 can turn on and off in windows features? I take it only comes with 2008 Server or windows 7 ultimate?

thanks
0
 
LVL 4

Expert Comment

by:Pro_
ID: 34100576
Chris

As you set a baseline on the laptops you may want to check local policy i.e. http://support.microsoft.com/kb/307882. As you are on Win7 see this link for getting the right tools sorted: http://www.youtube.com/watch?v=UsYkbLzVsM8.

If you have no joy changing the local policy (which you can save as a new template) you can try the encrypted runas. If anything its good experience to play around with as many organisations are so locked down these days that you need it!

Let us know how you get on.

Cheers

0
 

Author Comment

by:Chris345
ID: 34108688
I am now having a look at the following software
http://www.wingnutsoftware.com/

This is an encrypted version of RunAs. Now is anyone able to tell me how the network adaptor runs? Is it a process or a service / task? I am really after the command line I will need to put in, in order to get this to run. In my situation the laptop wil be running two nics.

Any further help with this would be great, and I appreciate the help so far.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34129866
You would have to use the Netsh command for command line NIC changes, like IP/Subnet mask etc......

Why not make them Users AND members of the "Network Configuration Operators" local group on the pc's?

A Description of the Network Configuration Operators Group
http://support.microsoft.com/kb/297938

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34129867
Sorry, you did that earlier. Youd have to disable UAC to get past that.......
0
 

Author Comment

by:Chris345
ID: 34133165
It looks like I may have sorted this out, it looks like NetSetMan enables a normal user to change network settings as required, it is installed as a service in services.msc if you so need it. Thereby bypassing the issue
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 34609021
Question PAQ'd and stored in the solution database.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now