Announcement

Collapse
No announcement yet.

Permission to change TCP/IP settings.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Permission to change TCP/IP settings.

    Hello everyone I just want to thank everyone who is working on this site for all th great infor and guides that are being presented. I am a long time lurker here and this is the first time i register and post my problems so please bare with me

    Here goes:

    I am somehow new to active directory (Since i am still learning it),

    I have a slight problem:
    I created an OU with 3 users in it and all 3 belong to the 'network configuration operators' group (built in) and some group I created called 'IT' . I want to grant them the persmission to be able to change ip addresses/subnet/gateway/dns settings...
    So i right clicked on the ou -> properties ->group policy.

    I created a new 'Test Group Policy'. Then i Navigated down to User Configuration->Network->Network Connections and disabled this setting: Prohibit TCP/IP advanced configuration. I saved everything and restarted.
    I tried logging in on one of the pcs using a user account in that OU but I am not able to change the tcp/ip settings. I get a message telling me i do not have sufficient priveledges.
    I am running windows 2003 server with AD.
    My client pcs are all Windows XP Pro.


    Some Screenshots to illustrate my issue:
    Here is how my gpo looks like:


    This is what I get when I click on the properties button:



    Thank you once again,
    Best regards

  • #2
    Re: Permission to change TCP/IP settings.

    What local group is the user in?

    AFAIK you still need appropriate permissions on the local PC as well as permission through GP

    Tom
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Permission to change TCP/IP settings.

      AFAIK, and I could be wrong, but I think only the Adminstrators and the Network Configuration Operators groups can change TCP/IP settings (which you seems to know). But the Network Configuration Operators on the DC only applies to the DCs in the domain. You'll need to add an AD group (or users but not recommended) to the local Network Configuration Operators group on the computers you want to modify. You can do this through group policy using Restricted Groups. I should note that 2000 Pro does not have this group.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: Permission to change TCP/IP settings.

        i saw you post here to:

        http://www.security-forums.com/viewt...9ccbff2b02aa2e

        i think they are correct... afaik you must be local admin to change the settings.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Permission to change TCP/IP settings.

          Thank you all for the quick reply,

          I will try the solutions mentioned.

          I thought that setting up the GP policy would be enough. I will also try configuring the GP on the local computer , is that what you meant?

          One of the things that I did was place the user in the Network Configuration group but still it refused to work.

          Concerning the post, yes Dumber you are right , I did this because i am really getting annoyed by this issue and somehow i feel the solution is simple but i am sure something is missing.


          Best regards
          Last edited by lallous; 22nd August 2006, 15:07.

          Comment


          • #6
            Re: Permission to change TCP/IP settings.

            Network Configuration group is only to change those settings on a DC.
            make the user a local admin and you'll see it will work.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Permission to change TCP/IP settings.

              Originally posted by Dumber
              Network Configuration group is only to change those settings on a DC.
              make the user a local admin and you'll see it will work.
              Yes I did make the user a domain admin and local admin(tried each seperatly), both worked. But i want to try to give such a priveledge to normal users.

              Is there a "run as" command to use for configuring the ip settings..etc?

              Comment


              • #8
                Re: Permission to change TCP/IP settings.

                sure..

                start --> run --> cmd
                runas


                or makemeadmin from aaron margosis
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Permission to change TCP/IP settings.

                  Originally posted by Dumber
                  Network Configuration group is only to change those settings on a DC.
                  make the user a local admin and you'll see it will work.
                  XP has the Network Configuration group.

                  lallous, if you have XP clients you can use Restricted Groups to configure your clients through group policy.
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment


                  • #10
                    Re: Permission to change TCP/IP settings.

                    Originally posted by JeremyW
                    XP has the Network Configuration group.

                    lallous, if you have XP clients you can use Restricted Groups to configure your clients through group policy.
                    yes Jeremy infact all my clients are Windows Xp pro.

                    Comment


                    • #11
                      Re: Permission to change TCP/IP settings.

                      Originally posted by lallous
                      yes Jeremy infact all my clients are Windows Xp pro.
                      Great. They all have the Network Configuration group. All you have to do is add the users and groups you want to the Network Configuration group on each machine. But you can do it all at once using Restricted Groups
                      Regards,
                      Jeremy

                      Network Consultant/Engineer
                      Baltimore - Washington area and beyond
                      www.gma-cpa.com

                      Comment


                      • #12
                        Re: Permission to change TCP/IP settings.

                        Originally posted by JeremyW
                        Great. They all have the Network Configuration group. All you have to do is add the users and groups you want to the Network Configuration group on each machine. But you can do it all at once using Restricted Groups
                        Thanks ALOT Jeremy and the rest ofcourse , I will do that tomorrow and report back ASAP! for now I will be leaving work.

                        Best Regards

                        Comment


                        • #13
                          Re: Permission to change TCP/IP settings.

                          Fantastic! It finally worked with the use of restricted groups.

                          Thank You All!

                          Comment


                          • #14
                            Re: Permission to change TCP/IP settings.

                            Thanks for posting back. Glad to hear it's working.
                            Regards,
                            Jeremy

                            Network Consultant/Engineer
                            Baltimore - Washington area and beyond
                            www.gma-cpa.com

                            Comment

                            Working...
                            X