Implementing an admin-less environment can raise concerns, particularly to allow field engineers change their local IP address. This is a common requirement for companies with field engineers working to implement technical network-based equipment. They might need to change from DHCP to static IP to communicate directly with network devices.
In this article, I will explore how to enable standard user accounts to change their local Windows IP address.
Table of Contents
Network Configuration Operators
Clearly, the users needed to be members of the local Windows group “Network Configuration Operators”. This group will give the users some administrative privileges to manage the configuration of networking features of the device. This will be a good take on the challenge while at the same time supporting the principle of least privilege access.
I must find an excellent granular way of adding selected members to this group by use of Microsoft Intune.
Allow Field Engineers Change Their Local IP Address
I see some options for achieving this goal, and I have to dive into the different options to see how they perform.
Intune Endpoint Security Account Protection
Intune has local user group membership policies that can help add, remove, or replace members of local groups on Windows devices. This seems like a natural place to start investigating.
The option is found in Microsoft Intune Admin Center under Endpoint Security – Account Protection.
It becomes apparent quickly that this is not the right path to follow. First, it is only a limited selection of groups available for configuration. The only available group options are “Administrators”, “Users”, “Guests”, “Power Users”, “Remote Desktop Users” and “Remote Management Users”.
Secondly, this option seems hard to use if I want to limit which devices each user gets extended rights on.
Intune PowerShell Script
I didn’t find any other native solutions in Intune. My next thought was to use a PowerShell script to achieve my goal. Adding a user to a local group should be feasible via a script.
Based on previous experiences, I know that developing scripts can take some time. Therefore, I did a quick Bing query in Google to see if others had previously faced this challenge. Lucky me, but not surprisingly, Mr. Rudy Ooms had a good approach I could use, though with a Dutch approach which I needed to translate.
My translated version of Rudy’s script for English version is as follows:
This script will add a scheduled task on the device, kicking in at each logon and adding the current user to the local “Network Configuration Operators” group.
I can now create an AAD security group targeting the users who should have this privilege on their devices.
The script can now be uploaded to Microsoft Intune and assigned to the security group.
As soon as the script has been synced out to a device and the user logs in again, we can see the membership of the local group has been updated.
At this point, I can change the local network settings on the windows device even if the user is of a standard user account type.
This solution has been proven to work, and it is granulated down to the user’s membership of the AAD security group, and it will follow the user from device to device.
One caveat could be that once the user has signed in to a device, the scheduled task will persist on the device and give other users login into the same machine the same privileges.
Thanks again to Rudy Ooms for sharing his solution becoming my final implementation!