What is the Best way to give AD domain User-x right to configure Network Properties?

  • Thread starter Thread starter Burt Reynolds
  • Start date Start date
B

Burt Reynolds

Hello,

Simple: Just wanted to give one of my users the right to configure and
examine his network properties. The "Network Configuration Operators"
group promises to do exactly this. How deceitful Microsoft features can
be.

I Have a fresh install of W2k3 and an xp sp2 box newly joined to the
domain. I put User-X into an OU called Power and also put him into the
Administrators group AND the Network Configuration Operators group.

However, when he clicks on the network properties icon on his xp sp2
box, he always gets, "some of the controls on this property sheet
because you do not have sufficient priviledges to access or change
them."

I tried logging him on/off 3 times and tried gpupdate /force many times.

This is a new w2k3 install and nothing is configured in any GPO. I know
there are gpo administrative templates for various network property
access, but if they are all "not configured" then they should not be
prohibitive right? Shouldn't placing the user in the Network
Configuration Operators group do what I want?

Isn't there an active directory way to allow him to change his network
properties without having to create a local machine account with the
same name and give him admin rights or "network operator rights"
locally?

Anyone been there...done that?


Thanks!

Love,

Poor besotted Admin
 
Are you putting the user in the Network Config group on the server or on the
local machine? It would need to be done locally.
You should be able to use Group Policy Restricted Groups to automatically
change membership of local groups.
 
Hi Simon,

Thanks for the informative post! So...there is no way to control the
Network Configuration rights without adding the user to the local
Network Configuration Operators group?

So adding a domain user account to the Network Configuration Operators
group on the domain controller in Active Directory is so that if the
user were to log onto the domain controller he could change the network
settings there, the settings of the DC itself?

I am just trying to understand what adding a user to the Network
Configuration Operators group on the domain controller does.

Thank you very much for your input.

Sincerely,

Burt

From: Simon Geary <[email protected]>
Newsgroups: microsoft.public.win2000.group_policy,
microsoft.public.windows.server.active_directory

Are you putting the user in the Network Config group on the server or on
the
local machine? It would need to be done locally.
You should be able to use Group Policy Restricted Groups to
automatically
change membership of local groups.

Burt Reynolds said:
Hello,

Simple: Just wanted to give one of my users the right to configure and
examine his network properties. The "Network Configuration Operators"
group promises to do exactly this. How deceitful Microsoft features can
be.

I Have a fresh install of W2k3 and an xp sp2 box newly joined to the
domain. I put User-X into an OU called Power and also put him into the
Administrators group AND the Network Configuration Operators group.

However, when he clicks on the network properties icon on his xp sp2
box, he always gets, "some of the controls on this property sheet
because you do not have sufficient priviledges to access or change
them."

I tried logging him on/off 3 times and tried gpupdate /force many times.

This is a new w2k3 install and nothing is configured in any GPO. I know
there are gpo administrative templates for various network property
access, but if they are all "not configured" then they should not be
prohibitive right? Shouldn't placing the user in the Network
Configuration Operators group do what I want?

Isn't there an active directory way to allow him to change his network
properties without having to create a local machine account with the
same name and give him admin rights or "network operator rights"
locally?

Anyone been there...done that?


Thanks!

Love,

Poor besotted Admin
Click to expand...


Date: Sun, 1 May 2005 12:57:13 +0100
 
A DC can't have this groups listed in Computer Management. When you do try
to go to Local Users & Groups on a DC, you get this message in the right
hand pane of the MMC.

The computer <computername> is a domain controller. This snap-in cannot be
used on a domain controller. Domain accounts are managed with the Active
Directory Users and Computers snap-in.

If you have a security group that you created in Active Directory named
Network Configuration Operators, then it will either do nothing if you
haven't configured permissions granularly for it or made it a group of
another group (i.e. Domain Admins). You could conceivably make this group,
add your users, and then create a group policy for Restricted Groups and add
a domain based security group (Network Configuration Operators) to the
Network Configuration Operators on the local pc's. But to answer your
question, it's impossible to add people to the non-existent group on the dc.

Ken
 
Hey Ken B,

Thanks for the reply.

Yes...although groups can't be accessed via the local computer's groups
mmc snap-in, as usually found in:

\right-click my computer\manage\local users and groups

....don't the local groups still exist, even on a domain controller? And
although not accessed in the normal way, here is where I accessed
them...and I didn't create the groups - they are built in groups, as
seen in this screen shot:

http://www.geocities.com/invisiblefoxx/groups.jpg

As you can see, I added the domain user to what appear to be local
groups: administrators, domain users, and network configuration
operators.

So my question is, if the network configuration operators group is not
local, then what is it? I thought it would give domain users domain wide
access to the rights of network configuration operators, in the same way
adding someone to the administrators group would.

What exactly are the groups I'm seeing in this screenshot and how
extensive or limited are the rights bestowed when users are added to
them?

I agree...it doesn't make sense that they would be local group
priviledges - that's why I thought adding user1 to the network
configuration operators would have domain wide results instead.

Thanks again for your input!

Burt R.



you wrote:


A DC can't have this groups listed in Computer Management. When you do
try
to go to Local Users & Groups on a DC, you get this message in the right
hand pane of the MMC.

The computer <computername> is a domain controller. This snap-in cannot
be
used on a domain controller. Domain accounts are managed with the
Active
Directory Users and Computers snap-in.

If you have a security group that you created in Active Directory named
Network Configuration Operators, then it will either do nothing if you
haven't configured permissions granularly for it or made it a group of
another group (i.e. Domain Admins). You could conceivably make this
group,
add your users, and then create a group policy for Restricted Groups and
add
a domain based security group (Network Configuration Operators) to the
Network Configuration Operators on the local pc's. But to answer your
question, it's impossible to add people to the non-existent group on the
dc.

Ken
 
Aha... it appears as though you are using a 2003 domain... I haven't used
one of those yet. Haven't read up on the functionality and existence of
extra groups not in a 2000 domain.

Sorry, but this is where my knowledge ends ;(

Ken
 
Yes...as I originally thought. That's why I added user1 to the domain
wide group network configuration operators, but this seemed to have zero
effect on the workstation user1 uses. (sorry...couldn't avoid the
redundancy)

What is the intended effect of putting a domain user into the group,
because it sure doesn't seem to give the user the ability to even see
the full properties of network options/properties much less change them.

Thanks!

BR
 
Back
Top