Forcing Workstations to DHCP or Allowing Non-Admins Access to Alternate TCP/IP Config?

[Ben]

Hi,

We have our laptops locked down pretty tight, and the users aren't local
admins. This works pretty well internally as we run DHCP, and on clients
site who run DHCP, however some of our clients are running fixed IP
networks. This means if a user gets on site they may need to modify their
TCP/IP properties, which they can't do as a standard user.

I know there is a group policy setting to allow/prohibit certain sections of
network connections (User Config > Admin Template > Network > Network
Connections) but this means they could come back into the office with a
non-standard IP settings, or even worse, a conflicting address.

Is there anyway to force a workstation back to DHCP when it comes into the
office? Or would it be possible to prohibit access to the general TCP/IP
settings tab, but allow users access to the Alternate Config tab? This way
they could modify the TCP/IP properties when DHCP isn't available, but still
get DHCP info when it is available.

If there is a better way of doing this, please feel free to suggest!

Many thanks

Ben

 

[Roger Abell [MVP]]

You have covered most of the options but seem to be overlooking
the Network Configuration Operators group. The alternate network
config is the way to go, as you mentioned, but you still have the issue
that the fixed IP is only "fixed" per client site that does not use DHCP.
Making them members of the indicated group should get you going.

 

[Ben]

Hi Roger,

Thanks for the reply.

I hadn't considered this group, didn't even really know about it, I
generally just keep things down to Users, or Administrators, so as to make
sure users don't get elevated privileges when they don't need them. But
looking at the MS pages on 'Network Configuration Operators' it doesn't seem
too risky to add users to this group, and it looks like it will certainly
solve some of our problems.

I've found an nice script on TechNet that sets DHCP on IP enabled adaptors,
so I think I can add this as a computer startup script via GP, and it should
force any adaptor IP settings to reset. Not sure where the script will run
every time the users boots, including if they are out of the office/on a
client site! Do you know if startup scripts get cached locally, or do they
only run when connected to the network?

Many thanks

Ben

 

[Roger Abell [MVP]]

Your scenario is exactly one of the main reasons that the group
I mentioned came into existence. It sounds like you have a user
education issue since if the alternate net config is used the main
network config is DHCP and on start it is used if possible with
the alternate coming into play if it cannot be used (i.e. instead of
failing over to an autonet IP). You would have an issue only if
they were bringing a box out of standby/hibernate, in which case
the GPO startup script would have no affect either. Anyway, you
might want to look at the slow link detection feature and add some
smarts to the startup script such as whether sysvol is reachable if
you do decide to use one, but again, it seems to me that informing
your users on how to use their new grant is the way to do this.

Roger

 

[Guest]

I have a similar issue. Laptop users need DHCP and static IP. So to clarify
and accomplish this tast, I should leave the general configuration as "obtain
IP automatically" and "obtain DNS server automatically". However, under the
alternate configuration, I can use a static IP and ISP DNS server IPs,
correct? Then when DHCP is NOT available it will failover to the static IP.
Haven't gotten involved with group policy too much, so that option wasn't
going to work for me.

Thanks for any clarification or agreement.