Skip to content

How to Allow Field Engineers Change Their Local IP Address

Implementing an admin-less environment can raise concerns, particularly to allow field engineers change their local IP address. This is a common requirement for companies with field engineers working to implement technical network-based equipment. They might need to change from DHCP to static IP to communicate directly with network devices.

In this article, I will explore how to enable standard user accounts to change their local Windows IP address.

Table of Contents

Network Configuration Operators

Clearly, the users needed to be members of the local Windows group “Network Configuration Operators”. This group will give the users some administrative privileges to manage the configuration of networking features of the device. This will be a good take on the challenge while at the same time supporting the principle of least privilege access.

Allow Field Engineers Change Their Local IP Address

I must find an excellent granular way of adding selected members to this group by use of Microsoft Intune.

Allow Field Engineers Change Their Local IP Address

I see some options for achieving this goal, and I have to dive into the different options to see how they perform.

Intune Endpoint Security Account Protection

Intune has local user group membership policies that can help add, remove, or replace members of local groups on Windows devices. This seems like a natural place to start investigating.

The option is found in Microsoft Intune Admin Center under Endpoint Security – Account Protection.

Local user group membership account protection policy

It becomes apparent quickly that this is not the right path to follow. First, it is only a limited selection of groups available for configuration. The only available group options are “Administrators”, “Users”, “Guests”, “Power Users”, “Remote Desktop Users” and “Remote Management Users”.

Secondly, this option seems hard to use if I want to limit which devices each user gets extended rights on.

Intune PowerShell Script

I didn’t find any other native solutions in Intune. My next thought was to use a PowerShell script to achieve my goal. Adding a user to a local group should be feasible via a script.

Based on previous experiences, I know that developing scripts can take some time. Therefore, I did a quick Bing query in Google to see if others had previously faced this challenge. Lucky me, but not surprisingly, Mr. Rudy Ooms had a good approach I could use, though with a Dutch approach, which I needed to translate.

My translated version of Rudy’s script for English version is as follows:

<#
  .NOTES
  ======================================================================
   Created on:   	02.03.2023
   Created by:   	Simon Skotheimsvik
   Filename:     	Win11-NetworkConfigurationOperators.ps1
   Info:          https://skotheimsvik.no
   Reference:     https://call4cloud.nl/2021/04/dude-wheres-my-admin/#changing
   Version:       1.0 - 02.03.2023 - Initial release
                  1.1 - 19.06.2024 - Modified based on feedback on group ID and runlevel
  ======================================================================
  
  .DESCRIPTION
    This script adds users to the local group "Network Configuration Operators".
    Members in this group can have some administrative privileges to manage
    configuration of networking features.

    The script can be distributed through Intune and targeted to a group of
    users qualifying to get this right "AZ-Device-Role-Local Network Configuration Operators"
    The script should run under system context. It will create a local scheduled task
    running at each user logon.
   
#>

$content = @' 
$loggedonuser = Get-WMIObject -class Win32_ComputerSystem | Select-Object -ExpandProperty username 
$groupSID = “S-1-5-32-556”
Add-LocalGroupMember -SID $groupSID -Member $loggedonuser 
'@ 
 
 # create custom folder and write PS script 
$path = $(Join-Path $env:ProgramData CustomScripts) 
if (!(Test-Path $path)) 
{ 
New-Item -Path $path -ItemType Directory -Force -Confirm:$false 
} 
Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\NetworkOperatorGroup.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false 
  
# register script as scheduled task 
$Time = New-ScheduledTaskTrigger -AtLogOn 
$User = "SYSTEM" 
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\ProgramData\CustomScripts\NetworkOperatorGroup.ps1`"" 
$TaskName = “AddUserToNetworkOperatorGroup”
Register-ScheduledTask -TaskName $TaskName -Trigger $Time -User $User -Action $Action -RunLevel Highest -Force 
PowerShell

This script will add a scheduled task on the device, kick in at each login, and add the current user to the local “Network Configuration Operators” group.

I can now create an AAD security group targeting the users who should have this privilege on their devices.

The script can now be uploaded to Microsoft Intune and assigned to the security group.

As soon as the script has been synced out to a device and the user logs in again, we can see the membership of the local group has been updated.

At this point, I can change the local network settings on the Windows device even if the user has a standard user account type.

Conclusion

This solution has been proven to work. It is granulated down to the user’s membership of the AAD security group and will follow the user from device to device.

One caveat could be that once the user has signed in to a device, the scheduled task will persist on the device and give other users who log in to the same machine the same privileges.

Thanks again to Rudy Ooms for sharing his solution, becoming my final implementation!

Published inEndpointIntuneMicrosoft 365PowershellScriptSecurityUncategorizedWindows

6 Comments

  1. Javi Gonzalez Javi Gonzalez

    Hi Simon!

    I hope you’re well!

    I just follow your step, my Azure AD user is into Windows 11 local group but I cannot change Network profile type as you show us or for example DHCP to static IP configuration. Windows 11 show me continuously a prompt that ask me for user and password.

    Thank for your help!

  2. Javi Gonzalez Javi Gonzalez

    Hi again!

    Mysteriously, everything now works correctly

    Thank you in advance!

  3. Hadrien Juanola Hadrien Juanola

    For those who have a multilanguage environment, here’s a modification to directly target the group SID.
    I have made another modification to the scheduled task part which did not work for me.
    After every reboot, the task disappeared, so the accounts were not added to the group properly. I’ve just added the “-RunLevel Highest” parameter.
    Hope it can help someone!

    Script with modifs :

    $content = @’
    $loggedonuser = Get-WMIObject -class Win32_ComputerSystem | Select-Object -ExpandProperty username
    $groupSID = “S-1-5-32-556”
    $groupName = (New-Object System.Security.Principal.SecurityIdentifier $groupSID).Translate([System.Security.Principal.NTAccount]).Value
    Add-LocalGroupMember -SID $groupSID -Member $loggedonuser
    ‘@

    # create custom folder and write PS script
    $path = $(Join-Path $env:ProgramData CustomScripts)
    if (!(Test-Path $path))
    {
    New-Item -Path $path -ItemType Directory -Force -Confirm:$false
    }
    Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\NetworkOperatorGroup.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false

    # register script as scheduled task
    $Time = New-ScheduledTaskTrigger -AtLogOn
    $User = “SYSTEM”
    $Action = New-ScheduledTaskAction -Execute “powershell.exe” -Argument “-ex bypass -file `”C:\ProgramData\CustomScripts\NetworkOperatorGroup.ps1`””
    $TaskName = “AddUserToNetworkOperatorGroup”
    Register-ScheduledTask -TaskName $TaskName -Trigger $Time -User $User -Action $Action -RunLevel Highest -Force

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.