none
Allow TCP/IP advanced configuration for domain users that are not in local administrator group

    Question

  • Hi,

    I am in the process of removing the domain users from local administrator group on my users PC.  We have a mix of Windows XP, Vista, Windows & and Windows 10.  Around 70% is Windows 10.

    How can I retain the the ability for eh users to change the IP address while removing the domain users from the local administrator group?

    I have read to add the users to "Network Configuration Operators".  Do I have any other configuration option to achieve the above configuration?

    Regards

    Mathew

    Sunday, December 11, 2016 6:23 AM

All replies

  • hi Liby,

    first i'd advise not to grant domain users permissions to change\modify TCPIP configuration on domain computers unless there is a good reason for that.

    and to answer your question, actually the easiest way is to add them to the "network configuration operators" group and you can use GPO restricted group membership for that also.

    so my question is why you are still looking for an alternative?


    Thanks Mahmoud

    Sunday, December 11, 2016 6:52 AM
  • Hi
     
    Am 11.12.2016 um 07:23 schrieb Liby:
    > I have read to add the users to "Network Configuration Operators".
     
    Perfect. That´s the right group and the reason, why MS introduced this
    group in Windows XP.
     
    Win2K Admins where complaining, that users are not allowed to change IP,
    which is relevant in a lot of notebook/roadwarrior scenarios.
     
    better use  GPP Local Users and Groups to add users into the group,
    because you can handle them more granulary as when using restricted groups.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Sunday, December 11, 2016 10:36 AM
  • Thank to both Mark & Mahmoud.

    Mahmoud,

    That was just a query to check if there was an alternate option and for granular option like just allowing only DNS or gateway configuration.  Now with "Network Configuration Operators", I do not have this granularity.

    Mark,

    I believe GPP need to be done using LAPS now.  Right?

    Please correct me if I am wrong.

    Sunday, December 11, 2016 11:18 AM
  • I believe GPP need to be done using LAPS now.  Right?

    Please correct me if I am wrong.

    Hi,
    I think Mark’s meaning is to configure Local Group preference items via group policy. Local Group preference items allow you to centrally create, delete, and rename local groups. Also, you can use these preference items to change local group memberships. Please see details from:
    Configure a Local Group Item
    https://technet.microsoft.com/en-us/library/cc732525%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 12, 2016 6:09 AM
    Moderator
  • Am 11.12.2016 um 12:18 schrieb Liby:
    > I believe GPP need to be done using LAPS now.  Right?
     
    No. see Wendys answer.
    GPP and LAPS have nothing todo with each other. Or lets say, you find it
    in google as a combination, because a lot of people want to set a local
    admin password. That could be done by GPP, until MS14-025.
    Now this option is greyed out and this option can not bve configured
    anymore.
     
    LAPS is a complete different aproach to set the local admin password,
    but it is actually one of the best ways to handle that issue.
     
    GPP can set single combination of "who is on which computer inside a
    group" and you can use variables.
     
    If you want "Willi" inside the Network Configuration Operators and you
    use restricted groups. Then Willi is inside this group on EVERY machine,
    the GPO ist targeting. Probably you only want Willi on "Willi-PC"?
    Then you need to filter it ... that would liead into a single GPO per
    settings, which is ... functional, but not handsome.
     
    Better way to tasrget this "1 to 1" situation:
    - create a domain security group, name it "Willi-PC-NetConfOps"
    - use GPP, new group, Action Update, choose "Network Configuration
    Operators" from Dropdown
    - add_: yourdomainname\%computername%-NetConfOps"
     
    one single GP, one single rule for all Systems. You only need to create
    the domain securitygroups and add the desired users into.
    The computer will resolve it %computername% and if it finds a group
    named like his name, he will add the group into it´s local group.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, December 12, 2016 9:32 AM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 16, 2016 8:50 AM
    Moderator