Change IP Address

[Hamins]

Hi everyone,

We have a domain with one Win2003 server as the DC and around 30 XP workstations, and the same number of users. None of the user have Admin rights. All the users belong to the same OU & group. They all have roaming profiles.

Since the users don't have admin rights, they cannot change the Network Settings (IP address, Subnet, gateway, DNS etc) on their local workstatios. Out the the 30 user's I need to grant one user the right to change the Network settings on any local workstation, without granting that user any additional Admin priviledges. How do I do that, without creating a completely new group/OU, and then setting the appropriate GPO settings on that group/ou.

Edited October 5, 2006 by Hamins

[EchoNoise]

Try using the runas utility

[Hamins]

Hi Undeadsoldier,

Thanks for your response, but thats not what I'm looking for.

I want a user with non-admin rights to be able to change the IP address.

[allen2]

Use a netsh batch script and run it by a GPO (computer config, windows parameter, startup script). The script will be run with the local system account and should have more than enough rights.

[Hamins]

Hi Allen,

Thanks for the response. What I meant was that I need a physical with non-admin rights, to be able to change the network settings (Manually).

[eyeball]

couldnt you create a sub ou in the current one and block inheritance, then create a new policy that allows this user to access only network connections in control panel?

[Hamins]

Yes yes, thats the obvious way of doing it. I'm wondering if there's another way of doing this, without creating another OU/Sub-OU

[bijicool]

You could also create a policy on the existing OU and filter it so that just one user gets that policy applied.

[Hamins]

You could also create a policy on the existing OU and filter it so that just one user gets that policy applied.

How do I do that ? and would that slow things down ? I heard, creating/filtering too many policies slows and confuses things

[Ctrl-X]

True, but one extra policy will hardly make a difference (that is, if you don't have 100 policy objects already). Something you may find interesting: How to Implement Group Policy Security Filtering

[Hamins]

Thanks to all you guyz,

Ctrl-X, I'll check out the link.

[Hamins]

Hi,

Could someone please explain the steps to implment GPO Filtering ?

[Ctrl-X]

In short:

• Create the new GPO and edit the settings as needed;
  
• Select the "Scope" tab for the new GPO, remove "Authenticated Users" from the "Security Filtering" box and add the group(s) and/or user(s) you want the new GPO to apply to;
  
• Link the new GPO to the desired OU, placing it above the original GPO so it has higher priority.
  

Refer to the article I linked to earlier for details. If you need more information, Google for "group policy security filtering" to get some more articles on the subject.

[Hamins]

Hi Ctrl-X,

I followed the steps u mentioned above to apply GPO filtering on a particular user. However, when that user logs onto any workstation, and tries accessing the properties on a LAN connection to change the IP addres, he gets a message saying that access to the property page is restricted. I have created a new GPO with necessary settings under "User sConfiguration" , to allow access to the network settings.

Edited October 18, 2006 by Hamins

[Hamins]

Anyone ??