Route.exe command permissions

[Catharsis]

Our users need to be able to add a route with the route.exe command in Windows. However, it says they do not have permission ("access denied"). I really don't feel like going around to every single computer and giving people admin rights on their local machine just to let them have permission to do this. I shouldn't have to give them full local machine admin rights to do this. Is there some way to do it from the DC? Through Group Policy -- or something? I've tried adding them to the Network Configuration Operators group, but that does nothing.

The DC is Server 2003, and the workstations are both 2000 and XP Pro.

[+BudMan MVC]

  King Rilian said:

Our users need to be able to add a route with the route.exe command in Windows.  However, it says they do not have permission ("access denied").  I really don't feel like going around to every single computer and giving people admin rights on their local machine just to let them have permission to do this.  I shouldn't have to give them full local machine admin rights to do this.  Is there some way to do it from the DC?  Through Group Policy -- or something?  I've tried adding them to the Network Configuration Operators group, but that does nothing.

The DC is Server 2003, and the workstations are both 2000 and XP Pro.

586699786[/snapback]

:huh: For what possible reason in the WORLD would a "USER" need to add a route??

Where exactly are they trying to route too? Their machines should route to the DEFAULT gateway on your network..

If for some reason routes need to be added to the local machines, then this should be done by the network admin - not users!

[seafirex]

if you really need to do this do it true a "OU" and apply proper rights eg: admin rights.

then make sure replication is done right away like that it will send the signal to every machines that needs that, then you can have then log off and log back in or reboot there own unit.

but seriously dont do it, as per if they had there own routes then they will be able to bypass all your security settings and had new devices to the network to go around your policies. and use software you dont want them to on there box

[MazX_Napalm]

I always thought that the object of having a router was to route (hence the name). Why would any user ever need to set their own routes? 99.999% of the time you never have to worry about routes. The rest of the time is for inter site communication where the router selects the shortest route first instead of the fastest route first. But then again if you are dependant on inter site connection, you should have a leased line.

[+BudMan MVC]

  MazX_Napalm said:

Why would any user ever need to set their own routes?

586708232[/snapback]

I completely agree with you! But there could be cases where you need to set up routes that are internal to the network - not a common thing, but I think your 99.999% might be a bit of an exaggeration :p

For example some device tied to a local machine that uses tcp/ip to talk to the host machine.. but is not directly tied to the lan, only to the host computer.. Testing equipment, measurement devices, camera's, etc.. And and another machine on the local network also needs access.

Say your local network is 10.10.10.0/24 and some device connected to the 10.10.10.100 machine using the 192.168.1.0/24 network..

If only 1 or 2 other machines on the network need access to this device.. you might want to setup a route on these machines to talk to the 10.10.10.100 machine if they need to get a device say on 192.168.1.10

It is possible that the gateway device for the local network does not support additional routes, or acls, etc.. so the best course of action might be routes on the machines than need to be able to find this 192.168.1.10 device.

But this normally would not be handled by the user ;)

I am very curious to why a user would think he needs to be able to add routes on the fly? Or for that matter why an admin would want to give this right to a user ;)

[Catharsis]

  BudMan said:

:huh: For what possible reason in the WORLD would a "USER" need to add a route??

Where exactly are they trying to route too?  Their machines should route to the DEFAULT gateway on your network..

If for some reason routes need to be added to the local machines, then this should be done by the network admin - not users!

586706214[/snapback]

You know, BudMan, for as much knowledge as you know, you can be quite insulting. However, this time, you really didn't give any information on how to fix this problem. We know why our users have to add routes. I shouldn't have to explain the in's and out's of our program operations to people on some Internet message board.

Thanks for the help. :)

[Catharsis]

Why does everyone keep asking why our users need to change routes? Why do I have to explain the in's and out's of what we do? You don't need to know, so, if you know the answer, why can't you just say so?

Bottom line, here's why they need to change routes. They do a failover test for a network application -- a failover test that ROUTES TO A DIFFERENT SERVER. I'm not going into it more than that.

Everyone can be curious to their heart's content, but if you're not going to bother to even answer a question (and therefore just demonstrate that you don't actually know the answer) then stop posting here, and let someone who DOES know the answer give a response.

Edited October 23, 2005 by King Rilian

[+BudMan MVC]

Dude this is a community - if you do not feel like giving us the details, them maybe we dont feel like answering your question.. ;)

Put them in the

Network Configuration Operators Group

http://support.microsoft.com/default.aspx?...8&Product=winxp

This gives them the ability to configure their local connection, I would think it should also give them the ability to add routes.. Though I have never actually needed to test it.

edit;

I just tested it - and yes it allows them to add routes.. :cool:

You must not have put them in the group on the local machine -- do you need help on how to do this? ;) I do not believe this available in 2k

Edited October 24, 2005 by BudMan

[Catharsis]

  BudMan said:

Dude this is a community - if you do not feel like giving us the details, them maybe we dont feel like answering your question.. ;)

Put them in the

Network Configuration Operators Group

http://support.microsoft.com/default.aspx?...8&Product=winxp

This gives them the ability to configure their local connection, I would think it should also give them the ability to add routes.. Though I have never actually needed to test it.

edit;

I just tested it - and yes it allows them to add routes..  :cool:

You must not have put them in the group on the local machine -- do you need help on how to do this? ;)  I do not believe this available in 2k

586716460[/snapback]

I've already tried this, and it doesn't work. I'm not sure why it doesn't work. Well, that's not entirely true. It works if I do it on the local machine, but, as you stated, it's only available in XP. Good advice, though, but for some reason it just doesn't work.

While I'm at it, let me tell everyone that I have also already tried to give them full admin rights to just the route.exe file, but that doesn't work either. They still need some sort of permission to change network settings (i.e. add routes).

Edited October 24, 2005 by King Rilian

[Catharsis]

Also, I just wanted to apologize for being so sarcastic. I was tired and frustrated at the time yesterday, and I acted like a jerk. Sorry everyone.

[+BudMan MVC]

Off the top, your stuck with 2k machines?? Easy solution would be to upgrade them to XP ;)

Other than that, I do believe to allow nonadmins to change network stuff you will need to set the permissions you desire on the registry keys in question

Im pretty sure the 2k Group Policy stuff was just to prevent even admins from accessing these settings - example;

http://www.microsoft.com/resources/documen....asp?frame=true

The issues of having to be admin to change networks settings in 2k and NT, etc.. was the reason they came up with the network operators group in XP - I thought ;)

Don't have alot of 2k boxes left around to play with to test it for you.

You will need to adjust the registry permissions on the key(s) in question to allow nonadmins to mess with these settings. A great tool for figuring out which keys are being accessed is regmon from sysinternals "free". Another great one is filemon..

These are great tools to have in figuring out EXACTLY what something is trying to do.. Which in your case can make sure the account trying to do it has the permissions on the objects it needs... I have used these tool many times in working out how to get a nonadmin account the ability to run a program that the maker says the user needs admin rights for.. ;)

If I find some time, maybe I'll take a look at it for you - since I do not recall off the top the reg keys.. But most likley somewhere around here;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

As to why we ask for details of what your doing - sometimes people get it in their head there is only one way to do something.. Which may be the HARD way of accomplishing what their after.. If we know WHAT your trying to do - maybe there is an easier way of doing it, etc..

As to me being "insulting" -- still not sure how asking a question is insulting? How is asking why a user would need to add/change routes insulting?

Edited October 24, 2005 by BudMan