Route.exe command permissions


Recommended Posts

Our users need to be able to add a route with the route.exe command in Windows. However, it says they do not have permission ("access denied"). I really don't feel like going around to every single computer and giving people admin rights on their local machine just to let them have permission to do this. I shouldn't have to give them full local machine admin rights to do this. Is there some way to do it from the DC? Through Group Policy -- or something? I've tried adding them to the Network Configuration Operators group, but that does nothing.

The DC is Server 2003, and the workstations are both 2000 and XP Pro.

Link to comment
https://www.neowin.net/forum/topic/387645-routeexe-command-permissions/
Share on other sites

  King Rilian said:
Our users need to be able to add a route with the route.exe command in Windows.  However, it says they do not have permission ("access denied").  I really don't feel like going around to every single computer and giving people admin rights on their local machine just to let them have permission to do this.  I shouldn't have to give them full local machine admin rights to do this.  Is there some way to do it from the DC?  Through Group Policy -- or something?  I've tried adding them to the Network Configuration Operators group, but that does nothing.

The DC is Server 2003, and the workstations are both 2000 and XP Pro.

586699786[/snapback]

:huh: For what possible reason in the WORLD would a "USER" need to add a route??

Where exactly are they trying to route too? Their machines should route to the DEFAULT gateway on your network..

If for some reason routes need to be added to the local machines, then this should be done by the network admin - not users!

if you really need to do this do it true a "OU" and apply proper rights eg: admin rights.

then make sure replication is done right away like that it will send the signal to every machines that needs that, then you can have then log off and log back in or reboot there own unit.

but seriously dont do it, as per if they had there own routes then they will be able to bypass all your security settings and had new devices to the network to go around your policies. and use software you dont want them to on there box

I always thought that the object of having a router was to route (hence the name). Why would any user ever need to set their own routes? 99.999% of the time you never have to worry about routes. The rest of the time is for inter site communication where the router selects the shortest route first instead of the fastest route first. But then again if you are dependant on inter site connection, you should have a leased line.

  MazX_Napalm said:
Why would any user ever need to set their own routes?

586708232[/snapback]

I completely agree with you! But there could be cases where you need to set up routes that are internal to the network - not a common thing, but I think your 99.999% might be a bit of an exaggeration :p

For example some device tied to a local machine that uses tcp/ip to talk to the host machine.. but is not directly tied to the lan, only to the host computer.. Testing equipment, measurement devices, camera's, etc.. And and another machine on the local network also needs access.

Say your local network is 10.10.10.0/24 and some device connected to the 10.10.10.100 machine using the 192.168.1.0/24 network..

If only 1 or 2 other machines on the network need access to this device.. you might want to setup a route on these machines to talk to the 10.10.10.100 machine if they need to get a device say on 192.168.1.10

It is possible that the gateway device for the local network does not support additional routes, or acls, etc.. so the best course of action might be routes on the machines than need to be able to find this 192.168.1.10 device.

But this normally would not be handled by the user ;)

I am very curious to why a user would think he needs to be able to add routes on the fly? Or for that matter why an admin would want to give this right to a user ;)

  BudMan said:
:huh: For what possible reason in the WORLD would a "USER" need to add a route??

Where exactly are they trying to route too?  Their machines should route to the DEFAULT gateway on your network..

If for some reason routes need to be added to the local machines, then this should be done by the network admin - not users!

586706214[/snapback]

You know, BudMan, for as much knowledge as you know, you can be quite insulting. However, this time, you really didn't give any information on how to fix this problem. We know why our users have to add routes. I shouldn't have to explain the in's and out's of our program operations to people on some Internet message board.

Thanks for the help. :)

Why does everyone keep asking why our users need to change routes? Why do I have to explain the in's and out's of what we do? You don't need to know, so, if you know the answer, why can't you just say so?

Bottom line, here's why they need to change routes. They do a failover test for a network application -- a failover test that ROUTES TO A DIFFERENT SERVER. I'm not going into it more than that.

Everyone can be curious to their heart's content, but if you're not going to bother to even answer a question (and therefore just demonstrate that you don't actually know the answer) then stop posting here, and let someone who DOES know the answer give a response.

Edited by King Rilian

Dude this is a community - if you do not feel like giving us the details, them maybe we dont feel like answering your question.. ;)

Put them in the

Network Configuration Operators Group

http://support.microsoft.com/default.aspx?...8&Product=winxp

This gives them the ability to configure their local connection, I would think it should also give them the ability to add routes.. Though I have never actually needed to test it.

edit;

I just tested it - and yes it allows them to add routes.. :cool:

You must not have put them in the group on the local machine -- do you need help on how to do this? ;) I do not believe this available in 2k

Edited by BudMan
  BudMan said:
Dude this is a community - if you do not feel like giving us the details, them maybe we dont feel like answering your question.. ;)

Put them in the

Network Configuration Operators Group

http://support.microsoft.com/default.aspx?...8&Product=winxp

This gives them the ability to configure their local connection, I would think it should also give them the ability to add routes.. Though I have never actually needed to test it.

edit;

I just tested it - and yes it allows them to add routes..  :cool:

You must not have put them in the group on the local machine -- do you need help on how to do this? ;)  I do not believe this available in 2k

586716460[/snapback]

I've already tried this, and it doesn't work. I'm not sure why it doesn't work. Well, that's not entirely true. It works if I do it on the local machine, but, as you stated, it's only available in XP. Good advice, though, but for some reason it just doesn't work.

While I'm at it, let me tell everyone that I have also already tried to give them full admin rights to just the route.exe file, but that doesn't work either. They still need some sort of permission to change network settings (i.e. add routes).

Edited by King Rilian

Off the top, your stuck with 2k machines?? Easy solution would be to upgrade them to XP ;)

Other than that, I do believe to allow nonadmins to change network stuff you will need to set the permissions you desire on the registry keys in question

Im pretty sure the 2k Group Policy stuff was just to prevent even admins from accessing these settings - example;

http://www.microsoft.com/resources/documen....asp?frame=true

The issues of having to be admin to change networks settings in 2k and NT, etc.. was the reason they came up with the network operators group in XP - I thought ;)

Don't have alot of 2k boxes left around to play with to test it for you.

You will need to adjust the registry permissions on the key(s) in question to allow nonadmins to mess with these settings. A great tool for figuring out which keys are being accessed is regmon from sysinternals "free". Another great one is filemon..

These are great tools to have in figuring out EXACTLY what something is trying to do.. Which in your case can make sure the account trying to do it has the permissions on the objects it needs... I have used these tool many times in working out how to get a nonadmin account the ability to run a program that the maker says the user needs admin rights for.. ;)

If I find some time, maybe I'll take a look at it for you - since I do not recall off the top the reg keys.. But most likley somewhere around here;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

As to why we ask for details of what your doing - sometimes people get it in their head there is only one way to do something.. Which may be the HARD way of accomplishing what their after.. If we know WHAT your trying to do - maybe there is an easier way of doing it, etc..

As to me being "insulting" -- still not sure how asking a question is insulting? How is asking why a user would need to add/change routes insulting?

Edited by BudMan
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Let's see how long this lasts. In the end, it comes down to productivity lost because of workflow disruptions. It's not even a question of "which is better", rather how painful will it be to switch and it's hard enough for a single person to switch - imagine an entire city's bureaucracy. Remember, there are governmental system in the US that are still using 5.25" floppy disks... Having been involved in these kinds of swaps, I can tell you - it's never as easy as the fanbase thinks it is.
    • Right, saw it in the microsoft blog, wasn't mentioned in the article, thanks.
    • Multiple internal and external HDDs from Seagate, Western Digital are now at great prices by Fiza Ali Amazon and Newegg are currently offering substantial discounts on a wide selection of internal and external hard drives from Seagate and Western Digital, with prices reduced across multiple capacities. The 4TB WD Purple Surveillance is a 3.5-inch SATA III drive offering sustained transfer rates of up to 175MB/s. It employs Conventional Magnetic Recording (CMR) with a 256MB cache buffer. The drive operates reliably between 0°C and 65°C and can be stored in temperatures ranging from –40°C to 70°C. Western Digital backs this unit with a three-year limited warranty as well. 4TB WD Purple Surveillance Internal HDD: $84.41 (Amazon US) - 8% off The 6TB WD Blue is also a 3.5-inch internal hard drive that connects via SATA III (6Gb/s) and delivers sustained transfer rates of up to 185MB/s. It spins at 5,400 RPM, employs Conventional Magnetic Recording (CMR) technology, and features a 256MB cache buffer. The drive operates reliably in temperatures from 0°C to 60°C (with safe storage down to –40°C and up to 70°C). It is backed by a two-year limited manufacturer’s warranty. 6TB WD Blue PC Internal HDD: $99.99 (Amazon US) - 17% off The 10TB WD Red Pro NAS drive comes in a 3.5-inch form factor and connects via SATA III (6Gb/s). It sustains transfer speeds of up to 267MB/s thanks to its 7,200 RPM spindle and 512MB cache buffer, and employs Conventional Magnetic Recording (CMR) for reliable multi-drive operation. It operates safely between 0°C and 65°C, can be stored or transported in temperatures from –40°C to 70°C, and is covered by Western Digital’s five-year limited warranty. 10TB WD Red Pro NAS Internal HDD: $237.49 (Amazon US) - 15% off This WD Elements Desktop external hard drive offers a 14TB of storage via a USB 3.0 interface (up to 5Gb/s), using a USB Micro-B connector that is backward-compatible with USB 2.0. It operates reliably between 5°C and 35°C and can be stored in temperatures ranging from –20°C to 65°C. The drive is powered by an external adapter and carries a two-year limited warranty. 14TB WD Elements Desktop External HDD: $199.99 (Amazon US) - 31% off The 16TB Seagate Expansion Desktop external hard drive delivers vast storage capacity in a simple, plug-and-play design. USB 3.0 connectivity provides high-speed data transfer rates. Out of the box, the Expansion Desktop model is recognised automatically by Windows, macOS, and ChromeOS systems. If you wish to use Apple’s Time Machine backup utility, the drive must be reformatted to the HFS+ file system. 16TB Seagate Expansion Desktop External HDD: $229.99 (Newegg) - 30% off The 16TB WD Elements desktop external HDD connects via a USB 3.0 interface using a Micro-B cable (up to 5Gb/s.) The drive features plug-and-play functionality, working straight out of the box with Windows PCs. It operates reliably in ambient temperatures from 5°C to 35°C and can be stored in temperatures ranging from –20°C to 65°C. The drive comes with a 2-year limited warranty as well. 16TB WD Elements Desktop External HDD: $249.99 + $20 off promo code SAAET2384 = 229.99 (Newegg) The 16TB Seagate BarraCuda 3.5-inch internal HDD offers Multi-Tier Caching Technology (MTC) which balances NAND flash, DRAM, and media cache layers to accelerate application launches, reduce load times, and maintain consistently high sustained read/write speeds. The included Seagate DiscWizard software simplifies drive migration, cloning, partitioning, and backup tasks. The drive is covered by a two-year limited warranty. 16TB Seagate BarraCuda Internal HDD: $194.99 (Newegg) - 7% off The 20TB Seagate Exos X20 delivers an enterprise-class solution for high-density storage environments and data centres. It offers a sustained sequential transfer rate of up to 285MB/s and advanced caching to ensure low-latency, repeatable response times for data-intensive workloads. It further features 550TB/year workload rating, 2.5 million-hour mean time between failures (MTBF), and five-year limited warranty. PowerChoice and PowerBalance technologies allow administrators to tailor power consumption profiles for active and idle states, reducing energy costs and cooling requirements. Hardware-based AES-256 encryption, password protection, and Seagate Secure certification safeguard sensitive data. 20TB Seagate Exos X20 Internal HDD: $379 + $50 off promo code EPET2523 = $329.99 (Newegg) This Amazon deal is US-specific and not available in other regions unless specified. If you don't like it or want to look at more options, check out the Amazon US deals page here. Get Prime (SNAP), Prime Video, Audible Plus or Kindle / Music Unlimited. Free for 30 days. As an Amazon Associate, we earn from qualifying purchases.
    • It's all 1Password's fault for using it before anyone else. 🙃
    • Of course you would say that James. Mr everything Microsoft does is perfect. Mr who posts " I love it " on most articles regarding Microsoft. At least Firefox isn't a bloated pig that has an embarrassingly low market share given it's the default. Mr Microsoft evangelical James needs to learn some self awareness. It's embarrassing for you to criticize any browser give your worship of Edge.
  • Recent Achievements

    • Collaborator
      Mighty Pen went up a rank
      Collaborator
    • Week One Done
      emptyother earned a badge
      Week One Done
    • Week One Done
      DarkWun earned a badge
      Week One Done
    • Very Popular
      valkyr09 earned a badge
      Very Popular
    • Week One Done
      suprememobiles earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      562
    2. 2
      +FloatingFatMan
      178
    3. 3
      ATLien_0
      175
    4. 4
      Xenon
      116
    5. 5
      Som
      109
  • Tell a friend

    Love Neowin? Tell a friend!