Allow Internet Options Connection Settings Changes with Password???

Posted on 2011-04-19
Medium Priority
Last Modified: 2012-05-11
I know this is a long shot, but figured I'd ask anyway.  We have a group policy object that points everyone to a pac file to go through Scansafe for internet access, so in Internet Options, "Use Automatic Configuration Script" is checked and the address listed. In the GPO, we also have enabled "Disable Changing Connection Settings" so that people can't go in to Internet Options and uncheck the auto config script setting.  All works well.

BUT, it would be nice if there was a way for administrators to be able to change the connection settings for trouble-shooting purposes.  I know I could set up another OU for admin users and then only have the "Disable Changing Connection Settings" apply to everyone else, but that would only work when the administrator signs in to the computer with their user id.  If I'm trouble-shooting why a user is having some random issue, it doesn't usually help to have them sign off and sign myself in.  And I know I could change the setting in the group policy to allow access to the connection settings while I am troubleshooting, but that's annoying too.  It would be great if I could just put in a password somewhere while the user is signed in, and then have access to change the connection settings.  (Sidenote -- because of our dumb Lotus Notes databases, everyone has to belong to the local adminstrator group on their computer).  

Anybody know of any way to set up group policy to be able to bypass the settings based on a password or something?  
Question by:cmg-support

Accepted Solution

wwakefield earned 1000 total points
ID: 35425523
If the GPO was applied to a user OU instead of machine OU, that would handle it.   I would think the admins could run IE under "RUN AS" then that would bypass.
LVL 11

Assisted Solution

Tasmant earned 1000 total points
ID: 35425792
If your GPO configured apply user settings, then you could create a security group with all your administrators, then add this group on the GPO, and deniy the "Apply GPO" security right for this group.
Therefore, any admin connecting on the workstations won't apply the GPO and can change the connections settings as they want. More, as "wwakefield" said, they could launch IE with runas command.
Else, you could change the way to configure IE. You can use auto-detect function to get WPAD from DHCP or DNS (DHCP is prior), and the wpad.dat file is the same as .pac file.
If you are afraid your users to change the connections settings, you can allow them to change settings, but force the IE policy to refresh even if no changes were made. So in any way, if users change settings, every 90 minutes the settings willbe enforced. This can be achieved is Administrative Templates/System/Group Policy/Internet Explorer Maintenance policy processing: check the process even if the group policy objects have not changed".
LVL 46

Expert Comment

by:Sjef Bosman
ID: 35426722
Just my sidenote: even a (dumb) administrator should be able to find out that Notes can be configured so that the folder tree is located in a user-accessible area where no local admin rights are required (outside the Program Files folder).
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 46

Expert Comment

by:Sjef Bosman
ID: 35427763
Ah, my bad, that sounds harsher than I meant it to be...

Author Closing Comment

ID: 35434946
Thanks everyone.  I will play around with it and see if I can get it to work putting admins in another OU so that the "Run As" will work.  Hadn't thought of that.  If not, might try the WPAD.  

NP sjef bosman -- it's someone else who is the Notes admin and we've had the admin necessity question for a while.  Thankfully we're slowly moving off of it anyway, so hopefully in a year the issue will go away.
LVL 46

Expert Comment

by:Sjef Bosman
ID: 35437229
Hiring a proper Domino admin is a lot cheaper in the end, in 99% of all cases.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question