You are hereNetwork Repair Option Disabled for Limited Rights Users

Network Repair Option Disabled for Limited Rights Users

By steve - Posted on 25 June 2007

I've written before about how important it is to have your users running with reduced rights, even remote laptops. By running at reduced rights, you can prevent malware from installing itself or from changing system files. When you run as administrator or the equivalent, any program you run can intenionally or unintentially damage your system.

Laptop users are a little different from desktop users. They are out and about. They need to connect to foreign networks. They need to get to wireless. They need to be able to REPAIR a wireless connection by clicking the repair button or taking the repair option. Using gpedit.msc, you can add back the right for laptop users to enable and disable their LAN connections. However, you can't give them the right to REPAIR a connection and I just spent a few hours figuring out why!

The reason you can't control the REPAIR button and option for network connections using gpedit.msc is that there isn't a policy for it. Under "User Configuration/Administrative Templates/Network/Network Connections" you can set all sorts of things like "Ability to rename LAN connections", "Prohibit TCP/IP advanced configuration", etc., but none of these will fix the repair option--it will continue to be grayed out.

The ability to turn this on or off is actually an undocumented (AFAIK) registry setting under each user:

Software\Policies\Microsoft\Windows\Network Connections

Value: NC_Repair
Setting 1=Enabled

This is stored in the same part of the registry hive as the options I described above.

The solutions I came up with are pretty simple, once I figured them out. First, you can simply add the missing registry setting, but you would have to do this for each user in their registry. The second, better, option is to add the setting to the group policy options.

First, let me say all warnings apply. Back up your system, first. This worked for me, it might not work for you. Your mileage will vary. Yada, yada, yada.

Solution #1 (the fast hack, not recommended, but informational):

Log on as administrator
Open registry (all warnings apply--you can kill your system)
Navigate to the current user's entries (you'll have to find it under the Users hive and figure out which entry is the user you care about)
Navigate to Software\Policies\Microsoft\Windows\Network Connections
You should see a bunch of NC_ entries
Add a DWORD entry: NC_Repair with a value of 1
Close regedit
Log off
Log back on as that user
Open the network connection and should see the repair option no longer disabled (grayed out)

Solution #2 (using group policies):

Warning: I'm assuming a laptop, in my example, where it won't be logging on to the domain. If you are logging on to the domain, you'll want to put this with the ADM files for your domain, not on the systems themselves.
Log on as administrator

Create a file called network_connections_repair.adm in your \windows\system32\GroupPolicy\Adm directory (note: the line that says NC_Repair_Help is wrapped for readability here--it should be a single line in your file):

CLASS USER 
CATEGORY !!Network
 CATEGORY !!NetworkConnections
	KEYNAME "Software\Policies\Microsoft\Windows\Network Connections"
	POLICY !!NC_Repair
		EXPLAIN !!NC_Repair_Help
		VALUENAME "NC_Repair"
		VALUEON     NUMERIC 1
		VALUEOFF    NUMERIC 0
	END POLICY
  END CATEGORY
END CATEGORY

[strings]
Network="Network"
NetworkConnections="Network Connections"
NC_Repair="Ability to repair LAN connections"
NC_Repair_Help="Determines whether users can repair LAN connections.\n\nIf you
enable this setting, the Repair option is enabled for all users. Users can repair
connections by clicking the icon representing a connection or by using the File
menu.\n\nIf you disable this setting (and enable the "Enable Network Connections
settings for Administrators" setting), the Repair option for LAN and all user
remote access connections is disabled for all users (including Administrators and
Network Configuration Operators).\n\nImportant: If the "Enable Network Connections
settings for Administrators" is disabled or not configured, this setting will not
apply to administrators on post-Windows 2000 computers.\n\nIf this setting is not
configured, only Administrators and Network Configuration Operators have the right
to repair LAN connections.\n\n"

That file describes the setting that the group policy editor will display for you to change settings. By having it in the folder indicated above, it will automatically be picked up by gpedit.msc. Don't be tempted to include these entries in the existing system.adm--Microsoft can and will overwrite these at any time.
Start gpedit.msc
Navigate to Local Computer Policy, User Configuration, Administrative Templates, Network, Network Connections. You should see your new "Ability to repair LAN connections" entry.
Mark "Ability to repair LAN connections" as ENABLED.
Exit gpedit.msc
Log off administrator
Log on as the user
Check to see if you can now "Repair" your connection

That should do it.

Add new comment

Comments

Did this help you? You can help me!

Did you find this information helpful? You can help me back by linking to this page, purchasing from my sponsors, or posting a comment!

+One me on Google:

Follow me on twitter: http://twitter.com/mojocode