Limited User Connecting To Outside Networks
Hello,
We are attempting to change the way we set up users on their machines (primarily laptops) but are running into a few snags. Up until this point they have all been administrators on the computers but we are rethinking that strategy and would like to
demote normal users to "limited" users.
When connecting to an unknown network or one that has not yet been connected to, a limited user is prompted to provide admin credentials to connect to the network. It appears it is Windows Firewall asking for these credentials. Is there a way
around this issue? We want users to be able to travel with their laptops and connect to networks as they please. I tried searching the forum but gave up after not finding anything close to this issue.
Thanks for any help!
Chris
December 21st, 2010 2:13pm
Hi Chris,
Before moving on, I would like to know the detailed settings you have taken which will
prompt to provide admin credentials to connect to the network and if it is the UAC feature enabled or other settings?
Based on my
knowledge, there is some related information about this issue:
If machine has enabled “Ability to Enable/Disable a LAN
connection”, normal user can disable/enable LAN on the computer.
To verify that, please logon the machine which normal user can disable/enable NIC card with “Local Administrator” privilege.
1. Run gpedit.msc
2. Expand to below “User Configuration”->”Administrative Templates”->”Network”->”Network Connections”.
3. Please verify if “Ability to Enable/Disable a LAN connection” is enabled, if it is, which means normal user can enable/disable network
connection.
Also,
enable/disable will be affected by below registry key:
NC_LanConnect
You may modify the registry key to test this issue. For more information, please refer to the following link:
Limited User cannot connect to Internet
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
You must be logged on as an Administrator to do this.
Before modify the registry keys, please
take a backup of the key.
For more information about how to back up and restore the registry, please click the following link to view the article:
Back up the registry
Regards,
Sabrina
TechNet Subscriber Support
in forum.
If you have any feedback on our support, please contact
tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2010 4:53am
Sabrina,
Thank you for trying to help. I made the change in the Group Policy to enabled, created a limited user account and tried to connect to a network that had never been connected to before. I was able to make the connection, but when the "Set
Network Location" box popped up and I selected "Work Network" it asked for an administrator password and would not allow me to set the location without it. It appears to be a UAC box prompting for the admin password.
Is there something more I need to do to bypass the need for an admin password?
BTW, this is on a Windows 7 Pro x32 laptop with UAC set to the defaults.
Chris
December 22nd, 2010 10:46am
Hi Chris,
For the Network Location Type, to suppress the prompt, add the registry key “HKLM\System\CurrentControlSet\Control\Network\NewNetworkWindowOff”
and we will default to the Public network setting.
You may run the following command to achieve:
REG.EXE ADD HKLM\System\CurrentControlSet\Control\Network\NewNetworkWindowOff /f
Or you may set the Network Location manually, set the following value:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\FirstNetworkValue
(REG_DWORD): Category set to 0 or 1
0 = Public 1 = Private
References:
hide network
wizard with the registry
Disabling the Network
Location Prompt
Choosing a network location
Regards,
Sabrina
TechNet Subscriber Support
in forum.
If you have any feedback on our support, please contact
tngfb@microsoft.com
This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
December 23rd, 2010 4:54am
Hi Chris,
How are you? I would appreciate it if you could drop me a note to let me know the status of the issue. If you have any questions or
concerns, please feel free to let me know. I am happy to be of further assistance. :)
Regards,
Sabrina
TechNet Subscriber Support
in forum.
If you have any feedback on our support, please contact
tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
December 27th, 2010 9:01pm
Hello Sabrina,
I was able to resolve the issue by adding the limited user to the "Network Configuration Operators" group. It then lets the user select the network location by giving them a limited admin privilege for making network connections. This
is a group we don't mind giving them rights to.
I do have another question though...we want our limited users to be able to install hardware such as printers, flash drives, etc. Is there a simple way of allowing this for limited users or a setting somewhere? Again, we would like them to be able
to do this without needing the admin password.
Thanks for all your help! I do appreciate it.
Chris
Free Windows Admin Tool Kit Click here and download it now
December 28th, 2010 1:29pm
I believe the policy necessary is "Allow Installation of Devices Using Drivers for These Device Classes." From there you can limit/expand certain group policies to include the privilege to install certain types of hardware. Utilizing the "Allow
Administrators to Override Device Installation Policy" will do exactly how it sounds.
December 28th, 2010 7:20pm
Hello Chris,
Thank you for updating the status of our issue and I am glad to hear that the Network Configuration Operators Group settings resolved the issue.
Also, regarding the limited users to install the hardware issue, I agree with 512hax0r.
You may refer to the following article for the detailed steps:
Configure Computer Policy to Allow Non-Administrators to Install
Specific Devices
Regards,
Sabrina
TechNet Subscriber Support
in forum.
If you have any feedback on our support, please contact
tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
December 28th, 2010 10:31pm
I was able to find that setting in the Local Group Policy but I'm confused on adding certain types of group classes to the policy. Is there a way I can add "all" classes so that any hardware they connect, whether it be a printer or usb drive
or scanner or whatever will allow them to install?
Thanks for trying to help!
Chris
December 29th, 2010 11:42am
Personally, unless Auto-Read is disabled, I wouldn't want to permit users the privileges of uninhibited Hardware usage. However, I believe that you must configure it per user.
P.S. Active Directory is enabled in Win7 Pro? I thought it was only in Ultimate?
Free Windows Admin Tool Kit Click here and download it now
December 30th, 2010 12:40am
Hi Chris,
I am afraid that the goal which you wanted cannot be achieved.
You may refer to the following information:
Stage a Device Driver in the Driver Store
You can use the procedure to stage a device driver package in the driver store. By default, standard users can install only driver
packages that are present in the driver store.
Allowing non-administrator
users to install devices and device drivers
Regards,
Sabrina
TechNet Subscriber Support
in forum.
If you have any feedback on our support, please contact
tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
December 30th, 2010 3:09am
Yes, Win 7 Pro does have the local group policy editor.
I suppose we will just have to make laptop users administrators then. Thanks for the info.
Chris
Free Windows Admin Tool Kit Click here and download it now
December 30th, 2010 10:53am
Hi Chris,
Thank you for your response.
If you have any questions or concerns in the future, please feel free to let us know. We are happy to be of further assistance.
:)
Regards,
Sabrina
TechNet Subscriber Support
in forum.
If you have any feedback on our support, please contact
tngfb@microsoft.comThis posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
January 2nd, 2011 9:36pm