For many organizations, the removal of local administrative privileges from client computers has been recommended and pursued as a long-term goal. Nevertheless, there are scenarios in which non-administrative users, including personnel in network departments or mobile technicians, need access to configure network settings for various purposes such as troubleshooting, testing, configuring, and other related tasks.
Due to the removal of their administrative privileges on their computers or the target machines, these tasks have become challenging for these users. One solution is to assign them membership in the Local Network Configuration Operators group.
This blog post provides a guide on solving the challenge by enabling these capabilities while addressing key considerations and potential security issues.
Understanding the Issue
In a typical enterprise setting, network configurations are managed by IT administrators. However, there are instances where non-admin users may need to modify network settings. For example:
- Members of the network department who need to troubleshoot connectivity issues.
- Mobile technicians who require access to adjust network settings in the field.
- Remote workers who need to configure network connections.
Granting these users the ability to configure network settings without making them full administrators can streamline operations and enhance productivity.
Important Considerations
Before allowing non-admin users to configure network settings, the following considerations should be considered:
- Evaluate the scope: Determine the extent of network settings they need to configure.
- Assess the necessity: Ensure that there is a genuine need for these users to have such permissions.
- Monitor and log activities: Implement logging and monitoring to track changes made by these users.
Possible Security Issues
While enabling non-admin users to configure network settings can be beneficial, it also introduces potential security risks:
- Unauthorized changes: Users may inadvertently or deliberately make changes that could disrupt the network.
- Elevated privileges: Adding users to the Network Configuration Operators group grants them elevated rights, which could be exploited.
- Compliance concerns: Ensure that this practice complies with organizational policies and regulatory requirements.
Adding Users to Network Configuration Operators Group
Granting non-admin users, the ability to configure network settings involves adding them to the Network Configuration Operators group.
Network configuration operators
Members in this group can have some administrative privileges to manage configuration of networking features.Using Windows Local Users and Groups Manager
Open the Start Menu and type
lusrmgr.msc, then press Enter to open the Local Users and Groups manager.In the left pane, click on Groups.
In the right pane, double-click on Network Configuration Operators.
Local Users and Groups > Network Configuration Operators Click the Add button, then enter the usernames of the non-admin users you want to add.
Local Users and Groups > Adding users If you want to add a Cloud-only user, use
AzureAD\< UPN >format.Click OK to confirm and close the dialog boxes.
Restart the Computer.
Using Microsoft Intune Policy
Microsoft Intune can be used to add users to the Network Configuration Operators group through policy settings.
An alternative to adding specific named users to the local Network Configuration Operators group is to add Interactive Users instead.
Warning
This option raises several security concerns and considerations.
Adding Interactive Users to the Network Configuration Operators group, grants network configuration privileges to any user who logs into the system, potentially including unauthorized or less experienced users.
This approach can streamline the process by automatically including any user who logs on interactively, providing them with the necessary permissions.
Sign-in to the Microsoft Intune admin center .
Go to Devices > Windows > Configuration.
Select Create > New Policy.
Select Windows 10 and later as the platform.
Choose Templates > Custom.
Select Create.
In Basics, configure the following settings:
Name: Enter a descriptive name for the notification. Name your notifications so you can easily identify them later.
Description: Enter a description for the notification. This setting is optional, but recommended.
Select Next.
Select Add (OMA-URI Settings row)
Name: Configure
Description: Configure Local Group membership
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Data type: String
Value:
<GroupConfiguration> <accessgroup desc = "S-1-5-32-556"> <group action = "U" /> <add member = "S-1-5-4"/> </accessgroup> </GroupConfiguration>Select Save.
Select Next.
Assign the policy to the appropriate group(s) or target applicable non-admin users only.
Select Next.
Add a Applicability Rules if required and select Next.
Select Create.
Important
Using SIDs instead of Group names, ensures the policy works across languages.
The get the SID for Interactive Users (NT AUTHORITY\INTERACTIVE) or any other well-known SIDs, see the Microsoft
Well-known SIDs
article.
If you are new to creating Microsoft Intune custom configuration profiles, see How to configure Microsoft Intune custom policy .
Retrieve the SID for a local group using PowerShell
Click to collapse
To retrieve the SID for a local group using PowerShell, follow these steps:
Open PowerShell with administrative privileges.
Execute the following command to get the SID of the desired local group, for example,
Network Configuration Operators:$group = Get-LocalGroup -Name "Network Configuration Operators" $group | Select-Object *The output will display the SID associated with the
Network Configuration Operatorsgroup, which you can then use in your configuration settings.Description : Members in this group can have some administrative privileges to manage configuration of networking features Name : Network Configuration Operators SID : S-1-5-32-556 PrincipalSource : Local ObjectClass : Group
Organizations must weigh the risks against the operational benefits. It is crucial to implement strict monitoring and auditing mechanisms to track changes and enforce compliance. Additionally, consider providing thorough training and clear guidelines to users who may receive these elevated privileges.
By carefully evaluating these factors, organizations can decide whether to leverage the Interactive Users group or to continue with adding specific named users to maintain a more controlled and secure network environment.
Using PowerShell
If prefered, adding users to the Network Configuration Operators group can be achived in a few simple steps using PowerShell or PowerShell script.
Open PowerShell with administrative privileges.
Execute the following command to add a user to the
Network Configuration Operatorsgroup:Add-LocalGroupMember -Group "Network Configuration Operators" -Member "AzureAD\< UPN >"Execute the following command to add a
Interactive Usersto theNetwork Configuration Operatorsgroup using SIDs:Add-LocalGroupMember -SID "S-1-5-32-556" -Member "S-1-5-4"Execute the following command to list members of the
Network Configuration Operatorsgroup using the name or SID:Get-LocalGroupMember -Name "Network Configuration Operators" Get-LocalGroupMember -SID "S-1-5-32-556"To remove the the
Interactive Usersfrom theNetwork Configuration Operatorsgroup using SIDs, execute the following command:Remove-LocalGroupMember -SID "S-1-5-32-556" -Member "S-1-5-4"
For further information about Add-LocalGroupMember , Get-LocalGroupMember , and Remove-LocalGroupMember follow the links.
Conclusion
Enabling non-admin users to configure network settings can greatly enhance productivity and efficiency in various scenarios. By carefully managing their permissions through the local Network Configuration Operators group and Microsoft Intune, organizations can balance operational needs with security considerations. Always ensure that proper monitoring and compliance measures are in place to mitigate any potential risks.
Go explore.
–Jesper