How do I allow users to change LAN in GPO settings?

[MillMaster]

Ok, very simply, here is the problem. I am using 2003 SBS. I need to allow a certain set of user’s permission to change their LAN settings on their computers. I am use to W2000 GPO interface, so I am not really sure how to set this up. Also, I was just having a hard time finding what setting allows me to do this, or is there a combination of settings? Also, I am assuming I am going to create a new group, and add those users to it, but how do I make sure that the settings only apply to that group?

 

[Spirit]

Not quite sure what your trying to do but doesn't DHCP change the IP settings for you or have I grabbed the wrong end of the CAT5 again?

Iain

 

[58sniper]

Apply GPOs to OUs, not users/computers.

May I ask WHY you want the users to be able to make changes to their LAN settings? Seems like it would be nothing but trouble.

Pat Richard, MCSE MCSA:Messaging CNA MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[MillMaster]

Ok, here is WHY I want to do this...

I have 2 internet connection coming into the office right now. One is the normal SBC line we all use, and our main router is configured to use. DHCP comes from the server, and everyone is configured for auto IP/DNS.

I have a second connection that goes into a generic SOHO router. I have this router into our switch.

I downloaded a freeware program called SwitchPro that allows you to set up LAN profiles. I have one for auto DHCP/DNS, using the normal default gateway. I have another set to assign static IPs, Static DNS and a default gateway for the second connection.

The problem is that when I install that program, it works fine when I am logged in with admin permission. Normal users can activate the program, but the program will not change the LAN connection. (im thinking this is because they dont have permission to change it)

 

[pgaliardo]

As far as I know, the user will have to be a local admin on his machine to change the settings. I'm not sure you want to give your users this level of rights.

If anyone knows of specific rights you can grant through the local policy, or GPO, I'd be interested to hear, but the only way I know how is to be a local admin.

 

[MillMaster]

Well I know there is a group on SBS called "Network Configuration Operators" group, that is suposed to allow for this kind of operation. And I am assuming that if I make them a member of "power users" it will give them enough permission as well?

(I want to to all this on the domain, not localy BTW)

 

[reynolwi]

Why the two different connections?

Wm. Reynolds
RRWDS | TxPSS

http://www.rrwds.com

http://www.txpubsafety.com

- - - - - - - - - - - - -
Network Error:
Hit any user to continue

 

[Spirit]

Create a new bat file Called DHCP and stick this in it:

netsh interface ip set address "Local Area Connection" dhcp

This will force your network card Local Area Connection use your DHCP server and then for the static create another bat file called Static and pop this in:

netsh interface ip set address "Local Area Connection" static 192.168.0.101 255.255.255.0 192.168.0.1 1

This will assign the IP that you want. (IP / SNet / Gateway).

Sounds like the tool you are trying to use requires elevated permissions this "should" allow pretty much any user change their network settings by double clicking the Bat file you stick on their desktops.

Hope this helps,
Iain

 

[TheLad]

Is adding two static addresses to the one NIC on a workstation (one for your SBC line and one for your SOHO router) not an option or can't you have the two connections active at the same time?

--------------------------------------
"Insert funny comment in here!"
--------------------------------------

 

[MillMaster]

Spirit, that is a great idea. One thing.. what is the netsh command to set 2 static dns IPs?

@lad: The problem is that we want one DHCP addy then we need to switch to the static one for the time being.

Our problem is that we are rolling out a custom app that uses the internet to access a global database. We are having alot of problems with our current ISP during certain times of the day. We set up this second connection as a way to switch people over to a different provider during those key times of increased latency. Really we just want the ability to test out this new connection, but we want all the users to be able to switch when they need to.

 

[Spirit]

netsh interface ip set dns "Local Area Connection" static 192.168.0.1

where 192.168.0.1 is your DNS server ip.

Or for dhcp

netsh interface ip set dns "Local Area Connection" dhcp



Iain

 

[MillMaster]

mmmm.. its all coming back now.. and to set primary and secondary dns I use register=primary after the first and index=2 after the second yes?

and set wins will do my wins server?

 

[MillMaster]

Ok well I created 2 BATch files with the netsh commands. When I tested them out on my computer they worked out fine (My account is part of admin group). When I copy them to a normal users computer, I get an Access Denied error after every line tries to execute.

There is still some permission(s) that need to be set somewhere to allow the normal domain users the ability to change their TCP/IP settings...

 

[Spirit]

Have you set up a group policy to block users changing their network settings?

Can you check the permissions on the following registry keys in local machine;
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
SYSTEM\CurrentControlSet\Services\DHCP\Parameters\

Try tweaking the perms on a workstation and see if that helps.

 

[MillMaster]

Well, this whole topic started with me needing to know just where those group policy settings are made in 2003 SBS.

 

[Stevehewitt]

Not trying to tell you how to run your network, but wouldn't it be easier and make more sense to just change the routing to get the users to use the new ISP as a test for say a week? Re-evaluate and then decide to move or not.

My 2 pence!




Steve.

"They have the internet on computers now!" - Homer Simpson