What is the Best way to give AD domain User-x right to con..

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

Hello,

Simple: Just wanted to give one of my users the right to configure and
examine his network properties. The "Network Configuration Operators"
group promises to do exactly this. How deceitful Microsoft features can
be.

I Have a fresh install of W2k3 and an xp sp2 box newly joined to the
domain. I put User-X into an OU called Power and also put him into the
Administrators group AND the Network Configuration Operators group.

However, when he clicks on the network properties icon on his xp sp2
box, he always gets, "some of the controls on this property sheet
because you do not have sufficient priviledges to access or change
them."

I tried logging him on/off 3 times and tried gpupdate /force many times.

This is a new w2k3 install and nothing is configured in any GPO. I know
there are gpo administrative templates for various network property
access, but if they are all "not configured" then they should not be
prohibitive right? Shouldn't placing the user in the Network
Configuration Operators group do what I want?

Isn't there an active directory way to allow him to change his network
properties without having to create a local machine account with the
same name and give him admin rights or "network operator rights"
locally?

Anyone been there...done that?


Thanks!

Love,

Poor besotted Admin
8 answers Last reply
More about what give domain user
  1. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

    Are you putting the user in the Network Config group on the server or on the
    local machine? It would need to be done locally.
    You should be able to use Group Policy Restricted Groups to automatically
    change membership of local groups.

    "Burt Reynolds" <burtreynolds@simplyburt.com> wrote in message
    news:MPG.1cde663ab85228d09896df@news.easynews.com...
    > Hello,
    >
    > Simple: Just wanted to give one of my users the right to configure and
    > examine his network properties. The "Network Configuration Operators"
    > group promises to do exactly this. How deceitful Microsoft features can
    > be.
    >
    > I Have a fresh install of W2k3 and an xp sp2 box newly joined to the
    > domain. I put User-X into an OU called Power and also put him into the
    > Administrators group AND the Network Configuration Operators group.
    >
    > However, when he clicks on the network properties icon on his xp sp2
    > box, he always gets, "some of the controls on this property sheet
    > because you do not have sufficient priviledges to access or change
    > them."
    >
    > I tried logging him on/off 3 times and tried gpupdate /force many times.
    >
    > This is a new w2k3 install and nothing is configured in any GPO. I know
    > there are gpo administrative templates for various network property
    > access, but if they are all "not configured" then they should not be
    > prohibitive right? Shouldn't placing the user in the Network
    > Configuration Operators group do what I want?
    >
    > Isn't there an active directory way to allow him to change his network
    > properties without having to create a local machine account with the
    > same name and give him admin rights or "network operator rights"
    > locally?
    >
    > Anyone been there...done that?
    >
    >
    > Thanks!
    >
    > Love,
    >
    > Poor besotted Admin
  2. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

    Hi Simon,

    Thanks for the informative post! So...there is no way to control the
    Network Configuration rights without adding the user to the local
    Network Configuration Operators group?

    So adding a domain user account to the Network Configuration Operators
    group on the domain controller in Active Directory is so that if the
    user were to log onto the domain controller he could change the network
    settings there, the settings of the DC itself?

    I am just trying to understand what adding a user to the Network
    Configuration Operators group on the domain controller does.

    Thank you very much for your input.

    Sincerely,

    Burt

    From: Simon Geary <simon_geary@hotmail.com>
    Newsgroups: microsoft.public.win2000.group_policy,
    microsoft.public.windows.server.active_directory

    Are you putting the user in the Network Config group on the server or on
    the
    local machine? It would need to be done locally.
    You should be able to use Group Policy Restricted Groups to
    automatically
    change membership of local groups.

    "Burt Reynolds" <burtreynolds@simplyburt.com> wrote in message
    > Hello,
    >
    > Simple: Just wanted to give one of my users the right to configure and
    > examine his network properties. The "Network Configuration Operators"
    > group promises to do exactly this. How deceitful Microsoft features can
    > be.
    >
    > I Have a fresh install of W2k3 and an xp sp2 box newly joined to the
    > domain. I put User-X into an OU called Power and also put him into the
    > Administrators group AND the Network Configuration Operators group.
    >
    > However, when he clicks on the network properties icon on his xp sp2
    > box, he always gets, "some of the controls on this property sheet
    > because you do not have sufficient priviledges to access or change
    > them."
    >
    > I tried logging him on/off 3 times and tried gpupdate /force many times.
    >
    > This is a new w2k3 install and nothing is configured in any GPO. I know
    > there are gpo administrative templates for various network property
    > access, but if they are all "not configured" then they should not be
    > prohibitive right? Shouldn't placing the user in the Network
    > Configuration Operators group do what I want?
    >
    > Isn't there an active directory way to allow him to change his network
    > properties without having to create a local machine account with the
    > same name and give him admin rights or "network operator rights"
    > locally?
    >
    > Anyone been there...done that?
    >
    >
    > Thanks!
    >
    > Love,
    >
    > Poor besotted Admin


    Date: Sun, 1 May 2005 12:57:13 +0100
  3. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

    A DC can't have this groups listed in Computer Management. When you do try
    to go to Local Users & Groups on a DC, you get this message in the right
    hand pane of the MMC.

    The computer <computername> is a domain controller. This snap-in cannot be
    used on a domain controller. Domain accounts are managed with the Active
    Directory Users and Computers snap-in.

    If you have a security group that you created in Active Directory named
    Network Configuration Operators, then it will either do nothing if you
    haven't configured permissions granularly for it or made it a group of
    another group (i.e. Domain Admins). You could conceivably make this group,
    add your users, and then create a group policy for Restricted Groups and add
    a domain based security group (Network Configuration Operators) to the
    Network Configuration Operators on the local pc's. But to answer your
    question, it's impossible to add people to the non-existent group on the dc.

    Ken

    "Burt Reynolds" <burtreynolds@simplyburt.com> wrote in message
    news:MPG.1ce207c1f96e50139896e0@news.easynews.com...
    >
    > Hi Simon,
    >
    > Thanks for the informative post! So...there is no way to control the
    > Network Configuration rights without adding the user to the local
    > Network Configuration Operators group?
    >
    > So adding a domain user account to the Network Configuration Operators
    > group on the domain controller in Active Directory is so that if the
    > user were to log onto the domain controller he could change the network
    > settings there, the settings of the DC itself?
    >
    > I am just trying to understand what adding a user to the Network
    > Configuration Operators group on the domain controller does.
    >
    > Thank you very much for your input.
    >
    > Sincerely,
    >
    > Burt
    >
    > From: Simon Geary <simon_geary@hotmail.com>
    > Newsgroups: microsoft.public.win2000.group_policy,
    > microsoft.public.windows.server.active_directory
    >
    > Are you putting the user in the Network Config group on the server or on
    > the
    > local machine? It would need to be done locally.
    > You should be able to use Group Policy Restricted Groups to
    > automatically
    > change membership of local groups.
    >
    > "Burt Reynolds" <burtreynolds@simplyburt.com> wrote in message
    >> Hello,
    >>
    >> Simple: Just wanted to give one of my users the right to configure and
    >> examine his network properties. The "Network Configuration Operators"
    >> group promises to do exactly this. How deceitful Microsoft features can
    >> be.
    >>
    >> I Have a fresh install of W2k3 and an xp sp2 box newly joined to the
    >> domain. I put User-X into an OU called Power and also put him into the
    >> Administrators group AND the Network Configuration Operators group.
    >>
    >> However, when he clicks on the network properties icon on his xp sp2
    >> box, he always gets, "some of the controls on this property sheet
    >> because you do not have sufficient priviledges to access or change
    >> them."
    >>
    >> I tried logging him on/off 3 times and tried gpupdate /force many times.
    >>
    >> This is a new w2k3 install and nothing is configured in any GPO. I know
    >> there are gpo administrative templates for various network property
    >> access, but if they are all "not configured" then they should not be
    >> prohibitive right? Shouldn't placing the user in the Network
    >> Configuration Operators group do what I want?
    >>
    >> Isn't there an active directory way to allow him to change his network
    >> properties without having to create a local machine account with the
    >> same name and give him admin rights or "network operator rights"
    >> locally?
    >>
    >> Anyone been there...done that?
    >>
    >>
    >> Thanks!
    >>
    >> Love,
    >>
    >> Poor besotted Admin
    >
    >
    > Date: Sun, 1 May 2005 12:57:13 +0100
  4. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

    Hey Ken B,

    Thanks for the reply.

    Yes...although groups can't be accessed via the local computer's groups
    mmc snap-in, as usually found in:

    \right-click my computer\manage\local users and groups

    ....don't the local groups still exist, even on a domain controller? And
    although not accessed in the normal way, here is where I accessed
    them...and I didn't create the groups - they are built in groups, as
    seen in this screen shot:

    http://www.geocities.com/invisiblefoxx/groups.jpg

    As you can see, I added the domain user to what appear to be local
    groups: administrators, domain users, and network configuration
    operators.

    So my question is, if the network configuration operators group is not
    local, then what is it? I thought it would give domain users domain wide
    access to the rights of network configuration operators, in the same way
    adding someone to the administrators group would.

    What exactly are the groups I'm seeing in this screenshot and how
    extensive or limited are the rights bestowed when users are added to
    them?

    I agree...it doesn't make sense that they would be local group
    priviledges - that's why I thought adding user1 to the network
    configuration operators would have domain wide results instead.

    Thanks again for your input!

    Burt R.


    you wrote:


    A DC can't have this groups listed in Computer Management. When you do
    try
    to go to Local Users & Groups on a DC, you get this message in the right
    hand pane of the MMC.

    The computer <computername> is a domain controller. This snap-in cannot
    be
    used on a domain controller. Domain accounts are managed with the
    Active
    Directory Users and Computers snap-in.

    If you have a security group that you created in Active Directory named
    Network Configuration Operators, then it will either do nothing if you
    haven't configured permissions granularly for it or made it a group of
    another group (i.e. Domain Admins). You could conceivably make this
    group,
    add your users, and then create a group policy for Restricted Groups and
    add
    a domain based security group (Network Configuration Operators) to the
    Network Configuration Operators on the local pc's. But to answer your
    question, it's impossible to add people to the non-existent group on the
    dc.

    Ken
  5. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

    Aha... it appears as though you are using a 2003 domain... I haven't used
    one of those yet. Haven't read up on the functionality and existence of
    extra groups not in a 2000 domain.

    Sorry, but this is where my knowledge ends ;(

    Ken

    "Burt Reynolds" <burtreynolds@simplyburt.com> wrote in message
    news:MPG.1ce2df261513c7999896e1@news.easynews.com...
    > Hey Ken B,
    >
    > Thanks for the reply.
    >
    > Yes...although groups can't be accessed via the local computer's groups
    > mmc snap-in, as usually found in:
    >
    > \right-click my computer\manage\local users and groups
    >
    > ...don't the local groups still exist, even on a domain controller? And
    > although not accessed in the normal way, here is where I accessed
    > them...and I didn't create the groups - they are built in groups, as
    > seen in this screen shot:
    >
    > http://www.geocities.com/invisiblefoxx/groups.jpg
    >
    > As you can see, I added the domain user to what appear to be local
    > groups: administrators, domain users, and network configuration
    > operators.
    >
    > So my question is, if the network configuration operators group is not
    > local, then what is it? I thought it would give domain users domain wide
    > access to the rights of network configuration operators, in the same way
    > adding someone to the administrators group would.
    >
    > What exactly are the groups I'm seeing in this screenshot and how
    > extensive or limited are the rights bestowed when users are added to
    > them?
    >
    > I agree...it doesn't make sense that they would be local group
    > priviledges - that's why I thought adding user1 to the network
    > configuration operators would have domain wide results instead.
    >
    > Thanks again for your input!
    >
    > Burt R.
    >
    >
    >
    > you wrote:
    >
    >
    > A DC can't have this groups listed in Computer Management. When you do
    > try
    > to go to Local Users & Groups on a DC, you get this message in the right
    > hand pane of the MMC.
    >
    > The computer <computername> is a domain controller. This snap-in cannot
    > be
    > used on a domain controller. Domain accounts are managed with the
    > Active
    > Directory Users and Computers snap-in.
    >
    > If you have a security group that you created in Active Directory named
    > Network Configuration Operators, then it will either do nothing if you
    > haven't configured permissions granularly for it or made it a group of
    > another group (i.e. Domain Admins). You could conceivably make this
    > group,
    > add your users, and then create a group policy for Restricted Groups and
    > add
    > a domain based security group (Network Configuration Operators) to the
    > Network Configuration Operators on the local pc's. But to answer your
    > question, it's impossible to add people to the non-existent group on the
    > dc.
    >
    > Ken
  6. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

    Hey Ken,

    Yeah...learn one thing...out comes a new thing :)

    So I am still trying to figure out if the groups I see in this picture
    apply locally, domain wide, or both?

    http://www.geocities.com/invisiblefoxx/groups.jpg

    -BR


    In article <e0XwrdOUFHA.3152@TK2MSFTNGP12.phx.gbl>, none@microsoft.com
    says...
    > Aha... it appears as though you are using a 2003 domain... I haven't used
    > one of those yet. Haven't read up on the functionality and existence of
    > extra groups not in a 2000 domain.
    >
    > Sorry, but this is where my knowledge ends ;(
    >
    > Ken
    >
    > "Burt Reynolds" <burtreynolds@simplyburt.com> wrote in message
    > news:MPG.1ce2df261513c7999896e1@news.easynews.com...
    > > Hey Ken B,
    > >
    > > Thanks for the reply.
    > >
    > > Yes...although groups can't be accessed via the local computer's groups
    > > mmc snap-in, as usually found in:
    > >
    > > \right-click my computer\manage\local users and groups
    > >
    > > ...don't the local groups still exist, even on a domain controller? And
    > > although not accessed in the normal way, here is where I accessed
    > > them...and I didn't create the groups - they are built in groups, as
    > > seen in this screen shot:
    > >
    > > http://www.geocities.com/invisiblefoxx/groups.jpg
    > >
    > > As you can see, I added the domain user to what appear to be local
    > > groups: administrators, domain users, and network configuration
    > > operators.
    > >
    > > So my question is, if the network configuration operators group is not
    > > local, then what is it? I thought it would give domain users domain wide
    > > access to the rights of network configuration operators, in the same way
    > > adding someone to the administrators group would.
    > >
    > > What exactly are the groups I'm seeing in this screenshot and how
    > > extensive or limited are the rights bestowed when users are added to
    > > them?
    > >
    > > I agree...it doesn't make sense that they would be local group
    > > priviledges - that's why I thought adding user1 to the network
    > > configuration operators would have domain wide results instead.
    > >
    > > Thanks again for your input!
    > >
    > > Burt R.
    > >
    > >
    > >
    > > you wrote:
  7. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

    Those are all domain-wide groups.

    --
    Todd J Heron, MCSE
    Windows Server 2003/2000/NT; CCA
    ----------------------------------------------------------------------------
    This posting is provided "as is" with no warranties and confers no rights
  8. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.server.active_directory (More info?)

    Yes...as I originally thought. That's why I added user1 to the domain
    wide group network configuration operators, but this seemed to have zero
    effect on the workstation user1 uses. (sorry...couldn't avoid the
    redundancy)

    What is the intended effect of putting a domain user into the group,
    because it sure doesn't seem to give the user the ability to even see
    the full properties of network options/properties much less change them.

    Thanks!

    BR


    In article <OatDUzWUFHA.628@tk2msftngp13.phx.gbl>,
    todd_heron_no_spam@hotmail.com says...
    > Those are all domain-wide groups.
    >
    >
Ask a new question

Read More

Network Configuration Microsoft Active Directory Windows