Is it possible to update the IP address, DNS and Subnet through a Service account without elevated the access of a user or an administrative account?
Background:
The reason why we would have to be able to do it this way(instead of doing it one of many easier ways) is our leadership says they do not want to elevate users with any administrative access because of security requirements. One of the ways he said he would allow would be if we could change this information through a "System Account". Our normal users only have to do one thing, update the IP address, DNS, and Subnet Mask to be able to talk to their PLC's.
I was reading up about things that were possible, such as putting them in a network group and removing that group from the administrator group. They then would be able to update the networking information while also limiting their rights to do other administrative things. They seemed opposed to this idea since they are no longer considered a "normal user".
Other ways would be through netsh, however, that would also have to be in an elevated command prompt.
I use WSUS daily, as was using it as a comparision since that creates a temporary administrator account (or service account) to push/install the updates.
No comments:
Post a Comment