Allow Internet Options Connection Settings Changes with Password???

Posted on 2011-04-19
Last Modified: 2012-05-11
I know this is a long shot, but figured I'd ask anyway.  We have a group policy object that points everyone to a pac file to go through Scansafe for internet access, so in Internet Options, "Use Automatic Configuration Script" is checked and the address listed. In the GPO, we also have enabled "Disable Changing Connection Settings" so that people can't go in to Internet Options and uncheck the auto config script setting.  All works well.

BUT, it would be nice if there was a way for administrators to be able to change the connection settings for trouble-shooting purposes.  I know I could set up another OU for admin users and then only have the "Disable Changing Connection Settings" apply to everyone else, but that would only work when the administrator signs in to the computer with their user id.  If I'm trouble-shooting why a user is having some random issue, it doesn't usually help to have them sign off and sign myself in.  And I know I could change the setting in the group policy to allow access to the connection settings while I am troubleshooting, but that's annoying too.  It would be great if I could just put in a password somewhere while the user is signed in, and then have access to change the connection settings.  (Sidenote -- because of our dumb Lotus Notes databases, everyone has to belong to the local adminstrator group on their computer).  

Anybody know of any way to set up group policy to be able to bypass the settings based on a password or something?  
Question by:cmg-support
    LVL 6

    Accepted Solution

    If the GPO was applied to a user OU instead of machine OU, that would handle it.   I would think the admins could run IE under "RUN AS" then that would bypass.
    LVL 11

    Assisted Solution

    If your GPO configured apply user settings, then you could create a security group with all your administrators, then add this group on the GPO, and deniy the "Apply GPO" security right for this group.
    Therefore, any admin connecting on the workstations won't apply the GPO and can change the connections settings as they want. More, as "wwakefield" said, they could launch IE with runas command.
    Else, you could change the way to configure IE. You can use auto-detect function to get WPAD from DHCP or DNS (DHCP is prior), and the wpad.dat file is the same as .pac file.
    If you are afraid your users to change the connections settings, you can allow them to change settings, but force the IE policy to refresh even if no changes were made. So in any way, if users change settings, every 90 minutes the settings willbe enforced. This can be achieved is Administrative Templates/System/Group Policy/Internet Explorer Maintenance policy processing: check the process even if the group policy objects have not changed".
    LVL 46

    Expert Comment

    by:Sjef Bosman
    Just my sidenote: even a (dumb) administrator should be able to find out that Notes can be configured so that the folder tree is located in a user-accessible area where no local admin rights are required (outside the Program Files folder).
    LVL 46

    Expert Comment

    by:Sjef Bosman
    Ah, my bad, that sounds harsher than I meant it to be...

    Author Closing Comment

    Thanks everyone.  I will play around with it and see if I can get it to work putting admins in another OU so that the "Run As" will work.  Hadn't thought of that.  If not, might try the WPAD.  

    NP sjef bosman -- it's someone else who is the Notes admin and we've had the admin necessity question for a while.  Thankfully we're slowly moving off of it anyway, so hopefully in a year the issue will go away.
    LVL 46

    Expert Comment

    by:Sjef Bosman
    Hiring a proper Domino admin is a lot cheaper in the end, in 99% of all cases.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
    How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now