question

DenisPasternak-3587 avatar image
0 Votes"
DenisPasternak-3587 asked DenisPasternak-3587 commented

Set-NetIpInterface and netsh interface require administrative permissions

Hi,

I need to setup meric for VPN interface. I`m using CMAK and I need to automate installation process with a scripts. But I have problem with metric option.

As you can know there is no problem to change metric for manual created VPN connection. If user create new connection by him self, he/she can change metric for this interface without administrative permission.

But if user will use not GUI way to change it and is trying to do this for example:
powershell - Set-NetIPInterface 'VPN interface' -InterfaceMetric 10 -Confirm:$false -Verbose
or
netsh interface ipv4 set interface 'VPN interface' metric=5

In this case user will get an error "Access Deny" event VPN connection was setup for current user only.

How can I avoid this error? I can`t add user to network administrators, if user can change metric manualy, why it does not work in powershell or netsh?

Thank you.

windows-serverwindows-server-powershellwindows-10-networkwindows-platform-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered DenisPasternak-3587 commented

Hello @DenisPasternak

My first choice will be also the user added to "Network Configuration Operators" group. Further than that the user "should" be able to change the NIC settings, if there is no other block to it.

I would check the GPOs applying to this user in the path:
User configuration - Administrative Templates Network - Network connections

and in respect to the command line, besides the profile have the rights, it may be needed to select "Open as Administrator" (it may prompt for authentication) to verify the permissions.

Additionally there could be UAC blocking the command as Powershell or CMD are not "GUI" sensible and wouldn't always prompt for UAC validation. Try the next:
In the registry of the machine:
path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
Key: ConsentPromptBehaviorUser
Set the value to: 3
Reboot and test again.

Hope this works for you!
Best regards,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, this kind of blocking is similar to UAC tricks. Because the user can change the settings manually, but cannot change the same settings via the command line.
Unfortunately, group policy, adding privileges to a user and changing the registry in a machine branch is not a suitable way. Because the user does not have administrative privileges.

If I am not an administrator, the user is not an administrator, but I need the metric to be changed. I'll have to ask the user to do it manually. I cannot use scripting or command line to automate.

0 Votes 0 ·