Guest Blackberry Posted September 22, 2007 Posted September 22, 2007 Hi All I have a Win2k3 server setup at a school using AD/GPO to administer things. I have two sets of users, pupils and teachers, and I've tried to lock things down as much as possible really on both accounts where practical. The problem I have is that the teachers want to use their laptops on their networks (wireless and wired) at home and I therefore need to let them have access to the network connections/configurations so that they can change their ips, subnets, ssids, etc. As a test I added network administrators to the staff's account (ie they were network admins and domain users) and although they could get to the network properties main window it wouldn't let them into the tcp/ip config part to change stuff. I don't want to make them domain admins as I believe this will allow them to install and uninstall software (they always try and do this!!!) so is there anyway round this? I would have thought that assigning them as network admins would do the trick, what else does a network admin need to do???, but is it possible that another GPO param is stopping them from doing the job? Thanks
Guest Mathieu CHATEAU Posted September 22, 2007 Posted September 22, 2007 Re: Allowing user to modify their Network connections Hello, the good way is to have DHCP on your network. Else: USER Administrative Templates\ Network\ Network Connections Prohibit access to properties of a LAN connection Prohibit TCP/IP advanced configuration Prohibit access to properties of components of a LAN connection Determines whether users can change the properties of a LAN connection. This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users. If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the Properties menu items are disabled for all users, and users cannot open the Local Area Connection Properties dialog box. Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu. Note: This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users. Note: Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Blackberry" <info@NoSpamIt.com> wrote in message news:OGcbeXQ$HHA.700@TK2MSFTNGP05.phx.gbl... > Hi All > > I have a Win2k3 server setup at a school using AD/GPO to administer > things. > > I have two sets of users, pupils and teachers, and I've tried to lock > things > down as much as possible really on both accounts where practical. > > The problem I have is that the teachers want to use their laptops on their > networks (wireless and wired) at home and I therefore need to let them > have > access to the network connections/configurations so that they can change > their ips, subnets, ssids, etc. > > As a test I added network administrators to the staff's account (ie they > were network admins and domain users) and although they could get to the > network properties main window it wouldn't let them into the tcp/ip config > part to change stuff. > > I don't want to make them domain admins as I believe this will allow them > to > install and uninstall software (they always try and do this!!!) so is > there > anyway round this? > > I would have thought that assigning them as network admins would do the > trick, what else does a network admin need to do???, but is it possible > that > another GPO param is stopping them from doing the job? > > Thanks > >
Guest Blackberry Posted September 22, 2007 Posted September 22, 2007 Re: Allowing user to modify their Network connections Hi Mathieu Many thanks for the prompt and detailed reply. We use DHCP in school and I believe they use DHCP at home, so I think their main issue is setting the Wireless stuff up, ie SSID, etc. It looks like the settings you have suggested would cover that - correct? Thanks "Mathieu CHATEAU" <gollum123@free.fr> wrote in message news:%23Og51eQ$HHA.5980@TK2MSFTNGP04.phx.gbl... Hello, the good way is to have DHCP on your network. Else: USER Administrative Templates\ Network\ Network Connections Prohibit access to properties of a LAN connection Prohibit TCP/IP advanced configuration Prohibit access to properties of components of a LAN connection Determines whether users can change the properties of a LAN connection. This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users. If you enable this setting (and enable the Enable Network Connections settings for Administrators setting), the Properties menu items are disabled for all users, and users cannot open the Local Area Connection Properties dialog box. Important: If the Enable Network Connections settings for Administrators is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu. Note: This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users. Note: Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Blackberry" <info@NoSpamIt.com> wrote in message news:OGcbeXQ$HHA.700@TK2MSFTNGP05.phx.gbl... > Hi All > > I have a Win2k3 server setup at a school using AD/GPO to administer > things. > > I have two sets of users, pupils and teachers, and I've tried to lock > things > down as much as possible really on both accounts where practical. > > The problem I have is that the teachers want to use their laptops on their > networks (wireless and wired) at home and I therefore need to let them > have > access to the network connections/configurations so that they can change > their ips, subnets, ssids, etc. > > As a test I added network administrators to the staff's account (ie they > were network admins and domain users) and although they could get to the > network properties main window it wouldn't let them into the tcp/ip config > part to change stuff. > > I don't want to make them domain admins as I believe this will allow them > to > install and uninstall software (they always try and do this!!!) so is > there > anyway round this? > > I would have thought that assigning them as network admins would do the > trick, what else does a network admin need to do???, but is it possible > that > another GPO param is stopping them from doing the job? > > Thanks > >
Guest Mathieu CHATEAU Posted September 22, 2007 Posted September 22, 2007 Re: Allowing user to modify their Network connections wifi should work without any privilege other than standard. Maybe they try to set static at home ? You should investigate more before changing anything -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Blackberry" <info@NoSpamIt.com> wrote in message news:ejvYL6Q$HHA.3400@TK2MSFTNGP03.phx.gbl... > Hi Mathieu > > Many thanks for the prompt and detailed reply. > > We use DHCP in school and I believe they use DHCP at home, so I think > their > main issue is setting the Wireless stuff up, ie SSID, etc. > > It looks like the settings you have suggested would cover that - correct? > > Thanks > > > "Mathieu CHATEAU" <gollum123@free.fr> wrote in message > news:%23Og51eQ$HHA.5980@TK2MSFTNGP04.phx.gbl... > Hello, > > the good way is to have DHCP on your network. > > Else: > USER > Administrative Templates\ > Network\ > Network Connections > > Prohibit access to properties of a LAN connection > Prohibit TCP/IP advanced configuration > Prohibit access to properties of components of a LAN connection > > Determines whether users can change the properties of a LAN connection. > This setting determines whether the Properties menu item is enabled, and > thus, whether the Local Area Connection Properties dialog box is available > to users. If you enable this setting (and enable the Enable Network > Connections settings for Administrators setting), the Properties menu > items > are disabled for all users, and users cannot open the Local Area > Connection > Properties dialog box. Important: If the Enable Network Connections > settings for Administrators is disabled or not configured, this setting > will > not apply to administrators on post-Windows 2000 computers. If you > disable > this setting or do not configure it, a Properties menu item appears when > users right-click the icon representing a LAN connection. Also, when users > select the connection, Properties is enabled on the File menu. Note: This > setting takes precedence over settings that manipulate the availability of > features inside the Local Area Connection Properties dialog box. If this > setting is enabled, nothing within the properties dialog box for a LAN > connection is available to users. Note: Nonadministrators have the right > to > view the properties dialog box for a connection but not to make changes, > regardless of this setting. > > > -- > Cordialement, > Mathieu CHATEAU > http://lordoftheping.blogspot.com > > > "Blackberry" <info@NoSpamIt.com> wrote in message > news:OGcbeXQ$HHA.700@TK2MSFTNGP05.phx.gbl... >> Hi All >> >> I have a Win2k3 server setup at a school using AD/GPO to administer >> things. >> >> I have two sets of users, pupils and teachers, and I've tried to lock >> things >> down as much as possible really on both accounts where practical. >> >> The problem I have is that the teachers want to use their laptops on >> their >> networks (wireless and wired) at home and I therefore need to let them >> have >> access to the network connections/configurations so that they can change >> their ips, subnets, ssids, etc. >> >> As a test I added network administrators to the staff's account (ie they >> were network admins and domain users) and although they could get to the >> network properties main window it wouldn't let them into the tcp/ip >> config >> part to change stuff. >> >> I don't want to make them domain admins as I believe this will allow them >> to >> install and uninstall software (they always try and do this!!!) so is >> there >> anyway round this? >> >> I would have thought that assigning them as network admins would do the >> trick, what else does a network admin need to do???, but is it possible >> that >> another GPO param is stopping them from doing the job? >> >> Thanks >> >> > >
Guest Florian Frommherz [MVP] Posted September 22, 2007 Posted September 22, 2007 Re: Allowing user to modify their Network connections Howdie! Blackberry schrieb: > The problem I have is that the teachers want to use their laptops on their > networks (wireless and wired) at home and I therefore need to let them have > access to the network connections/configurations so that they can change > their ips, subnets, ssids, etc. Windows XP has a builtin-group called "Network Operators" - what about putting the teachers into that local Group? You could use the "Restricted Groups" feature for that: http://www.frickelsoft.net/blog/?p=13 cheers, Florian -- Microsoft MVP - Windows Server - Group Policy. eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog.
Recommended Posts