Windows 7/Vista network permissions for users

[jeff.sadowski]

I have been looking all over and can't seem to find any answers about this.

I have vpn users that I would like to give permissions to add routes from their vpn but no matter what I have tried it fails to work without running the vpn as administrator.

1.) I am against running it as administrator all the time as this defeats the point of UAC.

2.) I don't want my vpn users to have to click allow when they start the vpn application each time(this is just dumb there must be a way to grant users certain permissions without granting them all permissions).

3.) turning off UAC is not acceptable as this was the whole point of vista and 7.

4.) I am also against having the routes be static.

Didn't Microsoft leave some sort of way for vpn's to add routes as a normal user?

What do I need to do?

I added the vpn users to the "Network Configuration Operators" group but this seems to have no effect.

I tried re-logging in and restarting but nothing it doesn't appear to have changed anything.

What is this group for if not for allowing adding of routes?

the vpn has 2 different options for adding routes there should be some way to allow a user in a group to access at least one of these methods.

with "C:\WINDOWS\system32\route.exe ADD 192.168.29.0 MASK 255.255.255.0 192.168.16.1"

I get "The requested operation requires elevation."

(I don't want to run as admin is there some way of allowing a group the user is assigned to, to add routes)

With the system call CreateIpForwardEntry in the IPAPI

I get "Access is denied. [status=5 if_index=26]"

Where do I find out what status 5 and if_index 26 mean?

Is there some exclusion somewhere if a user is part of administrators do I need to do something else?

I could create 2 accounts per user one that isn't an admin on their machine if that would help.

Have them use the non admin account for work and the admin account if they need to install something.

[Tripredacus]

You won't be able to change the permissions of ROUTE (or set to run it as Administrator) but you might want to look at AppLocker if the version of Windows you are using supports it. I'm not sure if creating a rule for ROUTE will auto-elevate the program or not. You can try setting whatever program (your VPN software I imagine) that is doing the call to run as Administrator on the Compatibility tab.