Networking and non Admin accounts.

Posted Tue, Aug 3 2004 5:47 by bill

Don Kiely blogged recently about wanting to be able to enable/disable network connections when running as a least privilege user (LPU).  I run as least privilege user on my laptop, and I had added my self to the Network Configuration Operators group.  But as Don pointed out to me, that also allows my account to do things such as modify the DNS settings and RAS properties, neither of which I really want or need. (see KB 297938).  So I quickly opened up Group Policy editor (gpedit.msc) and modified those settings J And just to show that a mere human can do this, here’s a screen shot (click on it the picture for larger view)

click on picture to see full size

You should notice that some of the settings I have as not configured.  These are things that I don’t want to enable for all members of the “users” group, and don’t want to disable them for me.  Group policy is applied last, so it overrides and settings I apply to my user account. So to be able to enable and disable network connections, I have to still add myself to the Network Configuration Operators group, but now I can’t modify the RAS entries to the TCPIP settings etc, which is exactly as I want it J

Comments

# re: Networking and non Admin accounts.

Tuesday, August 03, 2004 12:32 PM by bill

Hey Bill! Thanks for posting this. It's still not a mere mortal kind of thing, but it's definitely a step in the right direction.