Hello, We are attempting to change the way we set up users on their machines (primarily laptops) but are running into a few snags. Up until this point they have all been administrators on the computers but we are rethinking that strategy and would like to demote normal users to "limited" users. When connecting to an unknown network or one that has not yet been connected to, a limited user is prompted to provide admin credentials to connect to the network. It appears it is Windows Firewall asking for these credentials. Is there a way around this issue? We want users to be able to travel with their laptops and connect to networks as they please. I tried searching the forum but gave up after not finding anything close to this issue. Thanks for any help! Chris

Hi Chris, Before moving on, I would like to know the detailed settings you have taken which will prompt to provide admin credentials to connect to the network and if it is the UAC feature enabled or other settings? Based on my knowledge, there is some related information about this issue: If machine has enabled “Ability to Enable/Disable a LAN connection”, normal user can disable/enable LAN on the computer. To verify that, please logon the machine which normal user can disable/enable NIC card with “Local Administrator” privilege. 1. Run gpedit.msc 2. Expand to below “User Configuration”->”Administrative Templates”->”Network”->”Network Connections”. 3. Please verify if “Ability to Enable/Disable a LAN connection” is enabled, if it is, which means normal user can enable/disable network connection. Also, enable/disable will be affected by below registry key: NC_LanConnect You may modify the registry key to test this issue. For more information, please refer to the following link: Limited User cannot connect to Internet Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. You must be logged on as an Administrator to do this. Before modify the registry keys, please take a backup of the key. For more information about how to back up and restore the registry, please click the following link to view the article: Back up the registry Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Sabrina, Thank you for trying to help. I made the change in the Group Policy to enabled, created a limited user account and tried to connect to a network that had never been connected to before. I was able to make the connection, but when the "Set Network Location" box popped up and I selected "Work Network" it asked for an administrator password and would not allow me to set the location without it. It appears to be a UAC box prompting for the admin password. Is there something more I need to do to bypass the need for an admin password? BTW, this is on a Windows 7 Pro x32 laptop with UAC set to the defaults. Chris

Hi Chris, For the Network Location Type, to suppress the prompt, add the registry key “HKLM\System\CurrentControlSet\Control\Network\NewNetworkWindowOff” and we will default to the Public network setting. You may run the following command to achieve: REG.EXE ADD HKLM\System\CurrentControlSet\Control\Network\NewNetworkWindowOff /f Or you may set the Network Location manually, set the following value: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\FirstNetworkValue (REG_DWORD): Category set to 0 or 1 0 = Public 1 = Private References: hide network wizard with the registry Disabling the Network Location Prompt Choosing a network location Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Chris, How are you? I would appreciate it if you could drop me a note to let me know the status of the issue. If you have any questions or concerns, please feel free to let me know. I am happy to be of further assistance. :) Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello Sabrina, I was able to resolve the issue by adding the limited user to the "Network Configuration Operators" group. It then lets the user select the network location by giving them a limited admin privilege for making network connections. This is a group we don't mind giving them rights to. I do have another question though...we want our limited users to be able to install hardware such as printers, flash drives, etc. Is there a simple way of allowing this for limited users or a setting somewhere? Again, we would like them to be able to do this without needing the admin password. Thanks for all your help! I do appreciate it. Chris

I believe the policy necessary is "Allow Installation of Devices Using Drivers for These Device Classes." From there you can limit/expand certain group policies to include the privilege to install certain types of hardware. Utilizing the "Allow Administrators to Override Device Installation Policy" will do exactly how it sounds.

Hello Chris, Thank you for updating the status of our issue and I am glad to hear that the Network Configuration Operators Group settings resolved the issue. Also, regarding the limited users to install the hardware issue, I agree with 512hax0r. You may refer to the following article for the detailed steps: Configure Computer Policy to Allow Non-Administrators to Install Specific Devices Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I was able to find that setting in the Local Group Policy but I'm confused on adding certain types of group classes to the policy. Is there a way I can add "all" classes so that any hardware they connect, whether it be a printer or usb drive or scanner or whatever will allow them to install? Thanks for trying to help! Chris

Personally, unless Auto-Read is disabled, I wouldn't want to permit users the privileges of uninhibited Hardware usage. However, I believe that you must configure it per user. P.S. Active Directory is enabled in Win7 Pro? I thought it was only in Ultimate?

Hi Chris, I am afraid that the goal which you wanted cannot be achieved. You may refer to the following information: Stage a Device Driver in the Driver Store You can use the procedure to stage a device driver package in the driver store. By default, standard users can install only driver packages that are present in the driver store. Allowing non-administrator users to install devices and device drivers Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Yes, Win 7 Pro does have the local group policy editor. I suppose we will just have to make laptop users administrators then. Thanks for the info. Chris

Hi Chris, Thank you for your response. If you have any questions or concerns in the future, please feel free to let us know. We are happy to be of further assistance. :) Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.