Route.exe command permissions


Recommended Posts

Our users need to be able to add a route with the route.exe command in Windows. However, it says they do not have permission ("access denied"). I really don't feel like going around to every single computer and giving people admin rights on their local machine just to let them have permission to do this. I shouldn't have to give them full local machine admin rights to do this. Is there some way to do it from the DC? Through Group Policy -- or something? I've tried adding them to the Network Configuration Operators group, but that does nothing.

The DC is Server 2003, and the workstations are both 2000 and XP Pro.

Link to comment
https://www.neowin.net/forum/topic/387645-routeexe-command-permissions/
Share on other sites

  King Rilian said:
Our users need to be able to add a route with the route.exe command in Windows.  However, it says they do not have permission ("access denied").  I really don't feel like going around to every single computer and giving people admin rights on their local machine just to let them have permission to do this.  I shouldn't have to give them full local machine admin rights to do this.  Is there some way to do it from the DC?  Through Group Policy -- or something?  I've tried adding them to the Network Configuration Operators group, but that does nothing.

The DC is Server 2003, and the workstations are both 2000 and XP Pro.

586699786[/snapback]

:huh: For what possible reason in the WORLD would a "USER" need to add a route??

Where exactly are they trying to route too? Their machines should route to the DEFAULT gateway on your network..

If for some reason routes need to be added to the local machines, then this should be done by the network admin - not users!

if you really need to do this do it true a "OU" and apply proper rights eg: admin rights.

then make sure replication is done right away like that it will send the signal to every machines that needs that, then you can have then log off and log back in or reboot there own unit.

but seriously dont do it, as per if they had there own routes then they will be able to bypass all your security settings and had new devices to the network to go around your policies. and use software you dont want them to on there box

I always thought that the object of having a router was to route (hence the name). Why would any user ever need to set their own routes? 99.999% of the time you never have to worry about routes. The rest of the time is for inter site communication where the router selects the shortest route first instead of the fastest route first. But then again if you are dependant on inter site connection, you should have a leased line.

  MazX_Napalm said:
Why would any user ever need to set their own routes?

586708232[/snapback]

I completely agree with you! But there could be cases where you need to set up routes that are internal to the network - not a common thing, but I think your 99.999% might be a bit of an exaggeration :p

For example some device tied to a local machine that uses tcp/ip to talk to the host machine.. but is not directly tied to the lan, only to the host computer.. Testing equipment, measurement devices, camera's, etc.. And and another machine on the local network also needs access.

Say your local network is 10.10.10.0/24 and some device connected to the 10.10.10.100 machine using the 192.168.1.0/24 network..

If only 1 or 2 other machines on the network need access to this device.. you might want to setup a route on these machines to talk to the 10.10.10.100 machine if they need to get a device say on 192.168.1.10

It is possible that the gateway device for the local network does not support additional routes, or acls, etc.. so the best course of action might be routes on the machines than need to be able to find this 192.168.1.10 device.

But this normally would not be handled by the user ;)

I am very curious to why a user would think he needs to be able to add routes on the fly? Or for that matter why an admin would want to give this right to a user ;)

  BudMan said:
:huh: For what possible reason in the WORLD would a "USER" need to add a route??

Where exactly are they trying to route too?  Their machines should route to the DEFAULT gateway on your network..

If for some reason routes need to be added to the local machines, then this should be done by the network admin - not users!

586706214[/snapback]

You know, BudMan, for as much knowledge as you know, you can be quite insulting. However, this time, you really didn't give any information on how to fix this problem. We know why our users have to add routes. I shouldn't have to explain the in's and out's of our program operations to people on some Internet message board.

Thanks for the help. :)

Why does everyone keep asking why our users need to change routes? Why do I have to explain the in's and out's of what we do? You don't need to know, so, if you know the answer, why can't you just say so?

Bottom line, here's why they need to change routes. They do a failover test for a network application -- a failover test that ROUTES TO A DIFFERENT SERVER. I'm not going into it more than that.

Everyone can be curious to their heart's content, but if you're not going to bother to even answer a question (and therefore just demonstrate that you don't actually know the answer) then stop posting here, and let someone who DOES know the answer give a response.

Edited by King Rilian

Dude this is a community - if you do not feel like giving us the details, them maybe we dont feel like answering your question.. ;)

Put them in the

Network Configuration Operators Group

http://support.microsoft.com/default.aspx?...8&Product=winxp

This gives them the ability to configure their local connection, I would think it should also give them the ability to add routes.. Though I have never actually needed to test it.

edit;

I just tested it - and yes it allows them to add routes.. :cool:

You must not have put them in the group on the local machine -- do you need help on how to do this? ;) I do not believe this available in 2k

Edited by BudMan
  BudMan said:
Dude this is a community - if you do not feel like giving us the details, them maybe we dont feel like answering your question.. ;)

Put them in the

Network Configuration Operators Group

http://support.microsoft.com/default.aspx?...8&Product=winxp

This gives them the ability to configure their local connection, I would think it should also give them the ability to add routes.. Though I have never actually needed to test it.

edit;

I just tested it - and yes it allows them to add routes..  :cool:

You must not have put them in the group on the local machine -- do you need help on how to do this? ;)  I do not believe this available in 2k

586716460[/snapback]

I've already tried this, and it doesn't work. I'm not sure why it doesn't work. Well, that's not entirely true. It works if I do it on the local machine, but, as you stated, it's only available in XP. Good advice, though, but for some reason it just doesn't work.

While I'm at it, let me tell everyone that I have also already tried to give them full admin rights to just the route.exe file, but that doesn't work either. They still need some sort of permission to change network settings (i.e. add routes).

Edited by King Rilian

Off the top, your stuck with 2k machines?? Easy solution would be to upgrade them to XP ;)

Other than that, I do believe to allow nonadmins to change network stuff you will need to set the permissions you desire on the registry keys in question

Im pretty sure the 2k Group Policy stuff was just to prevent even admins from accessing these settings - example;

http://www.microsoft.com/resources/documen....asp?frame=true

The issues of having to be admin to change networks settings in 2k and NT, etc.. was the reason they came up with the network operators group in XP - I thought ;)

Don't have alot of 2k boxes left around to play with to test it for you.

You will need to adjust the registry permissions on the key(s) in question to allow nonadmins to mess with these settings. A great tool for figuring out which keys are being accessed is regmon from sysinternals "free". Another great one is filemon..

These are great tools to have in figuring out EXACTLY what something is trying to do.. Which in your case can make sure the account trying to do it has the permissions on the objects it needs... I have used these tool many times in working out how to get a nonadmin account the ability to run a program that the maker says the user needs admin rights for.. ;)

If I find some time, maybe I'll take a look at it for you - since I do not recall off the top the reg keys.. But most likley somewhere around here;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

As to why we ask for details of what your doing - sometimes people get it in their head there is only one way to do something.. Which may be the HARD way of accomplishing what their after.. If we know WHAT your trying to do - maybe there is an easier way of doing it, etc..

As to me being "insulting" -- still not sure how asking a question is insulting? How is asking why a user would need to add/change routes insulting?

Edited by BudMan
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Can't emulators hurt performance and cause issues though? Let me know if I'm wrong.
    • I know, I mean you can't buy a DLC on Xbox for a game on Game Pass and play said DLC on a PC even if the game itself is available on PC through Game Pass. So, you must buy DLCs twice to play on both Xbox and PC.
    • Proton literally exists. SteamOS literally exists.
    • Privazer 4.0.107 by Razvan Serea PrivaZer is a PC cleaner that helps you master your security and freedom at home and at work. PrivaZer permanently and irretrievably erases unwanted traces of your past activity on your computer and on your storage devices (USB keys, external drive, and so on) which prevents others from retrieving what you have done, watched, streamed, visited on internet, freeing up valuable hard disk space, and keeping your PC running secure. PrivaZer key features: Deep Cleaning: PrivaZer thoroughly cleans your PC by removing unnecessary files, traces of activity, and potential privacy risks. Advanced Scan Modes: With multiple scan modes, including Quick and Deep scans, PrivaZer ensures comprehensive cleaning tailored to your needs. Customizable Cleaning: PrivaZer allows you to customize cleaning settings, so you can choose exactly what to clean and what to keep. Privacy Protection: PrivaZer safeguards your privacy by securely erasing traces of your online and offline activities, including browsing history and temporary files. Secure File Deletion: PrivaZer securely deletes sensitive files beyond recovery, ensuring your confidential data remains private. Startup Manager: PrivaZer helps you control which programs launch at startup, improving boot times and overall system performance. Automatic Updates: PrivaZer regularly updates its cleaning algorithms to adapt to new threats and ensure effective protection. Scheduled Cleanups: PrivaZer offers the convenience of scheduling automated cleanups, so your PC stays optimized without manual intervention. Portable Version: PrivaZer offers a portable version, allowing you to carry it on a USB drive and clean any PC without installation. Detailed Reports: PrivaZer provides detailed reports after each cleanup, giving you insights into the space reclaimed and the areas cleaned. File Shredder: PrivaZer includes a file shredder feature to securely delete files, making data recovery impossible even with specialized tools. Context Menu Integration: PrivaZer integrates with the context menu, enabling quick and easy access to cleaning functions from any file or folder. Multi-Language Support: PrivaZer supports multiple languages, making it accessible to users worldwide. Automatic Traces Detection: PrivaZer automatically detects traces of activity on your PC, ensuring thorough cleaning without manual intervention. System Restore Point Creation: PrivaZer creates system restore points before cleaning, allowing you to revert changes if needed. Disk Health Analysis: PrivaZer analyzes disk health and alerts you to potential issues, helping you prevent data loss and maintain system stability. Browser Extensions Cleanup: PrivaZer cleans up browser extensions and add-ons, improving browser performance and security. File Association Management: PrivaZer helps you manage file associations, ensuring files open with the correct programs for optimal usability. Intuitive User Interface: PrivaZer features an intuitive user interface, making it easy for both novice and advanced users to optimize their PCs for better performance and privacy. Privazer 4.0.107 changelog: Improved cleanup : Quick Access Improved cleanup : Recent files Minor bug fixes Download: Privazer 4.0.107 | Portable PrivaZer ~30.0 MB (Freeware, paid upgrade available) View: PrivaZer Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Denmark ditching Windows and Office for Linux as it may not want to rely on Microsoft, Trump by Sayan Sen Back in November 2021, the German state of Schleswig-Holstein announced that it was planning to move away from closed-source Microsoft products like Office and Windows to LibreOffice. About two and a half years later, we received an update on the matter, as state officials confirmed that plans for the migration were still intact. As such, about 30,000 government sector computers would be switching by 2027 or so. Following Germany, Denmark seems to be looking to make such a move. This move should resonate pretty loudly now, given that Linux developers, including The Document Foundation, are pushing to encourage users to pick GNU instead of upgrading to Windows 11 from Windows 10. Caroline Stage Olsen, the current Minister for Digital Affairs of Denmark, told the Danish media outlet Politiken that there are plans to phase out Microsoft products in her own ministry next month, and more precisely, moving away from Office 365 to LibreOffice. When discussing the potential challenges of implementing such deployments, Olsen shared a clear backup plan that her ministry has: if the new system proves too challenging at first, they will temporarily revert to the previous setup while they explore other solutions, and overall she is pretty firm on her decision as she stated, "We won't get any closer to our goal if we don't start." The report adds that, thus far, the response from her team has been positive. The minister also added that this initiative isn’t solely about Microsoft. Instead, it’s a step toward reducing an over-reliance on just a handful of providers. The report mentions that the decision could be related to recent events surrounding the International Criminal Court (ICC). For context, the ICC's chief prosecutor, Karim Khan, lost access to his Microsoft Account following Trump's sanctions (via Associated Press). There is also the issue of Trump's keen interest in Greenland, which happens to be a semi-autonomous region of Denmark.
  • Recent Achievements

    • Week One Done
      evershinefacilityservice earned a badge
      Week One Done
    • One Month Later
      evershinefacilityservice earned a badge
      One Month Later
    • One Month Later
      POR2GAL4EVER earned a badge
      One Month Later
    • One Year In
      Orpheus13 earned a badge
      One Year In
    • One Month Later
      Orpheus13 earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      563
    2. 2
      ATLien_0
      256
    3. 3
      +Edouard
      163
    4. 4
      +FloatingFatMan
      157
    5. 5
      Michael Scrip
      109
  • Tell a friend

    Love Neowin? Tell a friend!