How to allow user to change his IP address on Windows 10 (with domain account)

T Crha 381 Reputation points
2023-06-07T12:41:10.3933333+00:00

Hello,

recently I have been asked to somehow ensure that selected users will be able to perform a change on IP address on their Windows 10 devices - but just that, no other administrative tasks were required (so local administrator is off the table in this case).

There is a local group called Network Configuration Operators, but even when I add users domain account to the group, it is not possible for him to change the IP. It still requests administrative permissions and will not let him authenticate with provided credentials.

Is there any way how to do it?

Thank you,

Tomas

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,078 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,302 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,091 Reputation points
    2023-06-08T12:28:29.73+00:00

    Hello there

    please check this

    1. On a Microsoft Domain Controller, open ‘Active Directory Users and Computers.’
    2. Right-click on the OU that you want to create the GPO policy for and click ‘Properties.’ In this

    example ‘Test’ is the OU.

    1. Click on the ‘Group Policy’ tab, then click on the ‘New’ button.
    2. Name your new ‘Group Policy.’ For this example ‘Test Policy’ is used.
    3. Click ‘Edit’ within the test properties window, then navigate to ‘Computer Configuration’ >

    ‘Windows Settings’ > ‘Security Setting’ > ‘Restricted Groups’

    1. Right-click on the ‘Restricted Groups’ folder and click ‘Add Group’
    2. Name the group ‘Network Configuration Operators’ then click ‘OK’
    3. Right-click on the newly added group ‘Network Configuration Operators’ then click on ‘Security’
    4. Click on the ‘Add’ button under ‘Members of this group’ and add the Domain Users group specific

    to your domain. This example uses LABDOMAIN so the group ‘LABDOMAIN\Domain Users’

    was added. Other groups could be added at this time if necessary (LABDOMAIN\Msft is in this

    example), but is not necessary.

    1. Click ‘OK’ and close all windows to get back to the ‘Active Directory Users and Computers’

    window.

    1. Your GPO is now complete.
    2. Add your users/Computers to this OU (if you created a new OU), then have the hosts reboot their

    computers. A reboot is necessary because this GPO was applied to the computer.***

    1. Your ‘Domain Users’ should now have the ability to release/renew their IP information. This can be

    verified by opening a command prompt and typing:

    a. ipconfig release

    b. ipconfig renew

    c. If no errors were encountered, the GPO was added to the host properly. The NAC Appliance

    agent will now be able function properly.

    Summary: by using Active Directory’s Group Policy Objects, we can add the host-specific group called

    ‘Network Configuration Operators’ to each desktop. This group is not available as a built-in group within

    AD rather a group that exists on the host device as a limited permission group. GPO will leverage this host

    group, thus allowing ‘Domain Users’ to modify their IP info.

    ***A command can be run on the host device at a command prompt, instead of rebooting the host, that will

    force a GPO update to the domain: ‘gpupdate /force’ and optionally ‘gpresult > c:\results.txt’ for results.

    And see if it helps,

    Thank you

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments
  2. Marcel MUDILA 0 Reputation points
    2024-05-07T10:04:22.5433333+00:00

    The easiest way to do this is by delegating control to a group of users or user itself on the Laptop or Desktop OU. Below is the steps:

    1. Create a Security Group for Delegation Control. In my case for example SG-FGM-NETWORK-CONFIG-OPERATOTORS;
    2. Add members to this group;
    3. On Laptops or Desktops OU, configure a Delegation Control;
    4. On the Delegation of control wizard, add group or users;
    5. On the Task To delegate wizard, select create custom task to delegate;
    6. On the next page, select Only the following object in the folder;
    7. Scroll down the bar and select ip Network Objects and ip Protocol Objects and click next;
    8. On permission page, select creation/deletion of specific child objects
    9. Select Read, Write, Read All Properties and Write All Properties;
    10. Click next, then finish.
    11. Open the windows client laptop or Desktop with the account with delegated permission;
    12. Tape Windows + R then tape ncpa.cpl;
    13. Try to modify Ethernet Card properties, you will be prompted to provide password. Enter password.
    14. And Enjoy

    Marcel MUDILA

    Technical Support & Back Office Engineer

    Microsoft Certified Solutions Expert / MCT ID 12783576

    mmudila@tfm.cmoc.com

    Tenke Fungurume Mining /DRC

    0 comments