How to grant wireless access in XP to normal users

6850 pts.
Tags:
Windows XP
Windows XP Professional
Wireless security
We setup wireless access for our user's laptops on our network and it works fine because the wireless was setup by the admin account. Now the user takes the laptop home and wants to use their wireless to vpn into work but can't because it is requesting admin access to setup the wireless link to their router. Any ideas how I can give them rights to do that but no other admin rights?

Answer Wiki

Thanks. We'll let you know when a new response is added.

I would recommend having the company IT dept set up the computer for the employees home network by using the admin account on the laptop, create a profile with all the necessary SSID, WPA and log in information needed for accessing their home network for the user. Of course this means that the company IT guy now knows the security information for the employees wireless, but if the Laptop is company property, the IT dept could probably recover the security info from the laptop anyway.

Careful with this, as some employees could start to see the company IT dept as a resource to trouble shoot their home network headaches.

Discuss This Question: 12  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Buddyfarr
    I am part of the company IT department. Unfortunately it is not possible for us to travel to all of the employee's homes, panera breads, meetings in cities far away and every hotel room that they might be travelling to. I need to be able to let the user's themselves get onto wireless hotspots without granting them admin access.
    6,850 pointsBadges:
    report
  • Schmidtw
    How about making them Power Users. I am quite certain power users can connect to wireless networks provided they have the key.
    11,330 pointsBadges:
    report
  • Flame
    I misunderstood the question I though that the employees were using there laps at home and at work only (2 locations) as opposed to needing access everywhere. (oops...) You could set them up as an administrator on the local Machine (their laptop) and as a User (or other limited account type) on the Domain. That way they can make what ever changes they need on there lap, but there are still limits on what they can do on the Domain. I believe that "Schmidtw" is correct, Power users should be able to make the needed changes.
    14,925 pointsBadges:
    report
  • Robert Stewart
    Both responses above should work, we have similiar situtation here, we have given the end user local admin rights to the machine. Add the end user to the local side of the machine as an admin this will take care of this.
    1,810 pointsBadges:
    report
  • Buddyfarr
    Unfortunately I cannot set them as Power Users either. It gives them rights that we do not want them to have, such as: Create local user accounts Modify user accounts which they have created Change user permissions on users, power users, and guests Install and run applications that do not affect the operating system Customize settings and resources on the Control Panel, such as Date/Time, and Power Options
    6,850 pointsBadges:
    report
  • Buddyfarr
    Adding an end user to the admin group is a horrible idea. Being in IT some of you should know of the implications of this. If a user is a local admin then trojans, viruses and spyware have a ten-fold chance of infecting the machine which then will be brought back in to the network and infect our company systems which carry very sensitive information. This also gives the end user rights to install whatever software they want which can lead to lawsuits for copyright infringement as well as suits possibly from the RIAA for the user downloading and installing P2P software to share out their personal music collection. Our company is in the healthcare business and the protection of our client's PHI (protected health information) is of the utmost priority. I would rather have all our users be inconvenienced with small problems such as this while we find a solution than allow one ounce of that information to leak into the wrong hands. One single lawsuit could shut our company down. The number one rule in IT is lock everything down and then give the users only the amount of rights they need to get their work done, none more.
    6,850 pointsBadges:
    report
  • Robert Stewart
    Buddyfarr, I agree the ideal way is to take away everything and then grant only what is needed. I'm well aware of all the issues created by making a user an Admin on the local side. Believe it or not there is a method to some of this madness, and I take some notice to your statement "Adding an end user to the admin group is a horrible idea. Being in IT some of you should know of the implications of this" remember you asked for help, and if you have a strong domain group policy some of your concerns are unjustified. I work with a staff of 11 other geeks (5 in house programmers) and we support 15 remote locations and over 500 users, and unfortunately I have inherited some programs (developed in house) that the end user has to be an admin in order for these programs to run. Thankfully we are a privately owned sales organization and our data is not quite as sensitive as yours, but if you have been in IT long you should know sometimes you cannot do things the way you were taught in school. With that being said, you can add the user as a local admin, set the local password to expire in a day, now I can already here you say "a day is to long for them to be admins", but I'm not sure how you will support an end user without admin rights to be able to walk into any Panera bread store and connect to a new wifi infrastructure. Anyone asking your IT department to support Wifi access at a Panera's bread store needs to reevaluate how you do business. Another option you could try is to by them a wireless broaband card.
    1,810 pointsBadges:
    report
  • Buddyfarr
    Robert, Though my current position is in a smaller company with only 400+ users and 13 locations my previous job was at a large hospital with over 3000 users, 2500 devices and more locations than I can count supported by 25 IT persons. All of them agreed that security is the number one priority. They had been burned once before because of giving users admin rights. If a user is on the road and needs access to the network to keep in sync with their co-workers or bosses then there is reasoning to not re-evaluate how business is done, it is part of doing business. Actually it is quite easy to access a corporate network at any open wireless access point securely. That is why we use VPN's, so that we create a secure tunnel to us before they can access any sensitive data. And to go one step further some of our users use Neoware thin client laptops. There is no OS or applications on it. The only thing it allows them to do is connect via vpn to us, then RDP to our terminal servers. But back to the XP laptops, I have been in the boat of having applications that require admin access to run it. Which is an example of poor coding skills. No application should be coded so that it requires admin rights to run it, but yes it does happen. For that I would use regmon to monitor what registry files it is accessing and filemon to monitor what files it is accessing. Then go back and give the users access to ONLY those registry entries and files that they need to run it. That will take away the need to give a user admin rights. Also, if the app is built in-house, once you know which files and registry settings to change you can change the install to update the ACL's on those so that regular users can use the application. Yes, I am asking for help, but in a way that will keep our systems secure. I was just checking with other IT personnel to see if anyone knew of a way to give them rights to the network settings so they can connect to wireless AP's when needed without admin rights because I thought there was a way to do it, I just can't remember.
    6,850 pointsBadges:
    report
  • Robert Stewart
    Glad to hear you understand both sides of the coin. Yes it is poor coding skills and 2 wrongs don't make a right. I also understand VPN we have several hundred users that use them while on the road. Still the fact remains they cannot log into any wifi infrastructure wherever and whenever they want to without having admin rights, this is why I say you need to reevaluate this part of your business. Panera bread store wifi will not be secure, what kind of encryption is used? You can be hacked by the guy sitting two tables away from you while your trying to connect to your VPN. I agree with most of your points, admin rights are dangerous, poor coding skills can be troublesome to overcome, but working out of a Panera bread store does not fly as a good business practice and if any of our management or end users asked our IT department to support this type of connection they would be laughed out of the building. I think the best answer is what I ended with on the last post, buy a wireless broadband card and as long as the have cell phone coverage they will be able to connect to internet. I hope this helps you out and I'm not trying to argue with you but just understand when you ask for help don't ridicule the answers provided when they may have reasons for doing things the way they do. You have now been provided two solutions for your problem, you now have to make the right choice for your company good luck.
    1,810 pointsBadges:
    report
  • petkoa
    Hi Buddyfar, I'm absolutely sure what Robert Stewart wrote about your people getting hacked by the guy next table in the Panera bread while they are typing VPN credentials is right and if there is no policy against connecting to the company site from internet cafe etc., there is no sense in disallowing local administrative access to the laptops. I'm with an academic institution and am involved in the management of research network and in this research network we (almost) have no sensitive information, so we can live without such policy - but anyway we have a kind of disclaimer even on the login page of our webmail: ================== <p>Dear colleague, you loaded this page using ssl-encrypted connection. This means that the data you exchange with the server (username, password, messages, attached files) couldn't be intercepted during their transmission through Internet.</p> <p>Unfortunately, ssl-encryption couldn't prevent interception of these data by malicious programs ("spyware") installed on or infected the computer from which you intend to access your e-mail account.</p> <p>If you are not sure that this computer is "clean" (you are in an internet cafe, for example), now - before you have entered your username and password - is the moment to disconnect!</p> ================== BR, Petko
    3,120 pointsBadges:
    report
  • LANAll
    Hi, Just add users to the "Network Configuration Operators" local group -- that can allow them to change network settings. I hope that helped.
    10 pointsBadges:
    report
  • Buddyfarr
    @ LANAII - You hit the nail on the head. After doing some further research I also found this setting. XP Pro and above have a new group called Network Configuration Operators just for this issue. The description shows this: Members in this group can have some administrative privileges to manage configuration of networking features. So this will give the user just enough rights to add/delete networks. We use Cisco VPN encryption that encrypts the tunnel to our network BEFORE they type in their credentials so it is as secure as we can get it without having to pay a lot of money to go with cellular cards. Being a non profit we don't have a ton of money to have as many cellular cards as we would need to cover our mobile users. That would be a nice option so that we could set it up once and forget it instead of hoping the user can understand how to connect to the wireless once they get to where they are going. No matter what option you use everything is hackable, but I just want to get my best bang for my buck. Though I don't know of any of our users that actually go to places like Panera it was just an example of a scenario. But we do have lots of users that go to conventions and such which have wireless in their hotel rooms, etc. Thanks again for all the information everyone!
    6,850 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following