-3

I need to provide admin rights to every user but the users should not able to change network configuration settings.

For this I have enabled following policies in User Configuration\Administrative Templates\Network\Network connections

  • Enable Windows 2000 network connection settings for administrators

  • Prohibit access to properties of a LAN connection

  • Prohibit access to properties of components a LAN connection

    Users (that exist in administrators) still can change the LAN properties.

Are there any other solutions?

Community
  • 1
moronrats
  • 1
  • 3
  • "Are there any other solutions?" - what is the end result you're trying to achieve by keeping people from changing their network settings? – Bart Silverstrim Aug 24 '14 at 15:04

1 Answers1

2

You're thinking about this backwards. If regular uses need more rights, then assign them more. This is not "admin rights" or "non-admin rights". Windows has a lot more fine grained permissions available. The whole design structure of permissions in windows is about giving users extra permissions, NOT about giving access to everything then specifically denying something.

You can assign a group of users to have the specific right to do what you want to let them. I recommend you make a new security group for the users in question, and given that group access to whatever you like.

If you want a group of users to be able to run software with elevated privileges (aka run as admin) then you can give them just that right. You can even set the scope of that policy so they only have those rights on certain groups of computers.

Search for how to give users the specific permissions you need them to have

BeowulfNode42
  • 2,615
  • 2
  • 19
  • 32
  • I have created another security group (TEST) & added users in it. I have given full rights to that group on C:\Program files & c:\windows & registry root. But after this user can't even access control panel. – moronrats Aug 20 '14 at 06:02
  • With folders that have many sub-folders and levels of sub-folders, you will usually find that somewhere down the levels it will not just inherit permissions from its parent, and for a good reason. When editing permissions on the parent of such a folder use the advanced options to ensure you DO NOT "replace all child object permissions with inheritable permissions from this object" – BeowulfNode42 Aug 21 '14 at 02:39
  • While I haven't tested, I believe that if you give someone full access to the registry they can change things like network settings via the registry. Changing security permissions on the registry should be a last resort for an admin. Changing security permissions on the root of the registry should never be done. – BeowulfNode42 Aug 21 '14 at 02:41
  • 1
    I'm curious at why you're trying to give full rights to he machine *except* network configs...? Is there a better way to achieve the end result you're really looking to achieve? – Bart Silverstrim Aug 24 '14 at 03:13