I'm a network admin in an Active Directory setup with around 15 field technicians using Windows 10 and 11 laptops. These techs often need to modify IP addresses and DNS settings for testing purposes, but I want to avoid giving them local admin rights due to security concerns. I've tried several methods including adding them to the "Network Configuration Operators" group via GPO, which doesn't seem to work because of UAC restrictions. I also attempted creating .exe wrappers with RunAsTool and PowerRun, but those still prompt for admin access. I've even explored using scheduled tasks with PowerShell scripts, but they've been inconsistent across devices. Ideally, I want them to be able to right-click on the network adapter in *ncpa.cpl* and adjust settings like an admin, but restrict access to everything else. Does anyone have reliable solutions for this, maybe using PAM or AppLocker? Any best practices would be greatly appreciated!
4 Answers
You might want to look into a PAM solution with Just-In-Time (JIT) admin. I've had success with autoelevate for similar situations. It allows users to elevate privileges only when they need to change network settings while keeping it secure.
I recommend checking out PowerShell with Just Enough Administration (JEA) and constrained endpoints. This can provide the control you need while allowing for necessary changes.
Why are non-IT staff doing IT-related tasks?
Not everyone has the luxury of strictly defined roles in the workplace. Sometimes, you have to adapt to real-world scenarios where cross-functional duties are necessary.
Sometimes technicians need to interact with specific equipment, like HVAC controllers, which often require direct IP changes to connect to devices that are not on a DHCP server.
It’s common for field techs in various industries to have to change their laptop's IP to troubleshoot or connect with systems directly. These situations often require flexibility beyond traditional roles.
In my experience, adding users to the ‘Network Configuration Operators’ local group has worked well. Make sure you explicitly add them to the local group and verify that the GPOs are set up correctly. Alternatively, since you have a small crew, consider scripting the process to simplify things.
Just keep in mind that there could be local privilege escalation risks from that group to full admin access.
Just a heads up, if the network settings are preventing connectivity, you might have an issue elevating privileges to make the necessary fixes.