Applying TCP/IP Settings for Non-Administrator Users in Windows® XP Embedded
Introduction
A non-administrator user logs in to a system built with Windows XP Embedded runtime will not be able to successfully change the TCP/IP settings (such as IP address, subnet mask, etc.) even if that particular user belongs to the ‘Network Configuration Operators’ group. The system will require a reboot after changing the TCP/IP settings; however the new settings will be discarded after the reboot. This problem does not occur in Windows XP Pro environment.
This document provides some guidance to resolve the particular issue above.
Steps to resolve the issue
The cause of the issue is primarily due to permission settings as part of the access control list (or ACL) that are handled differently in Windows XP Embedded platform than Windows XP Pro. We propose to use a security editor tool (SubInAcl.exe) to run a script as a workaround to this issue. SubInAcl.exe is available to the public and it can be downloaded from Microsoft Download Center.Below are suggested steps to create a script file and then execute it to resolve the issue.
1. Creating a script file to assign proper permission in ACL
Below is a list of script commands that you should create to assign proper permission in ACL.
subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ /grant="Network Configuration Operators"=QCEYA
subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage\ /grant="Network Configuration Operators"=QSCEYA
subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ /grant="Network Configuration Operators"=QSCEYA
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ /grant="Network Configuration Operators"=QSCEYA
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\ /grant="Network Configuration Operators"=QSCEYA
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ /grant="Network Configuration Operators"=QSCEYA
subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes\ /grant="Network Configuration Operators"=QSCEYA
subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock\ /grant="Network Configuration Operators"=QCEYA
subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Performance\ /grant="Network Configuration Operators"=QCEYA
subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider\ /grant="Network Configuration Operators"=QCEYA
subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Enum\ /grant="Network Configuration Operators"=QCEYA
subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Security\ /grant="Network Configuration Operators"=QCEYA
subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP\Configurations\ /grant="Network Configuration Operators"=QSCEYAD
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP\Parameters\ /grant="Network Configuration Operators"=QEYA
subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{GUID_OF_NIC}\Parameters\Tcpip\ /grant="Network Configuration Operators"=QSCEYAD
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\ /grant="Network Configuration Operators"=QCEYA
subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\ /grant="Network Configuration Operators"=QSCEYA
Please note that you need to replace {GUID_OF_NIC} in one of the commands above with the actual GUID of the network adapter in your device. You can find such GUID under the TCP/IP service registry key.
For example: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{AEA17CDF-5551-4DF7-90EE-73E0E595BC31}
2. Executing the script file to assign proper permission in ACL
You can copy the commands in step 1 above and store them in a batch file (i.e. a text file with an extension .bat) on your development machine. In addition, you need to download the SubInAcl.exe tool from Microsoft Download Center to your development machine. The downloaded file is a MSI package. Install the MSI package, the SubInAcl.exe tool will be located in the installation path that you specify during the installation (the default path is C:\Program Files\Windows Resource Kits\Tools).
After logging in your Windows XP Embedded runtime system as an administrator, copy the batch file and SubInAcl.exe into a temporary folder. Open a command prompt, navigate to the temporary folder, and run the batch file. After successfully executing the batch file, a non-administrator user may log in to the same runtime and change any TCP/IP settings as long as he/she belongs to the ‘Network Configuration Operators’ group.
- Thomas
* Updated 8/2/07 to include more generic info on NIC settings in script command.
Comments
Anonymous
July 31, 2007
The comment has been removedAnonymous
July 31, 2007
Are you able to successfully change the TCP/IP settings after running the batch file? If so, you may ignore the failure. If not, we can investigage.Anonymous
August 01, 2007
Thank you very much for this solution, you posted it at a perfekt moment :) It's works nearly perfekt for me, only one think is the same as before - after changing between dhcp and static ip address, the system asks me for a reboot " ... before the new settings will take effect". Is it possible to fix this problem ?Anonymous
August 01, 2007
Hello Thomas, Thank you for your comment. There is no problem for me after applying this solution. Therefore, I will ignore the failure. Thank you very much!! Masakazu WatariAnonymous
August 01, 2007
The comment has been removedAnonymous
August 01, 2007
That's it, works perfekt now .. Thank you very much. Best regards, AndiAnonymous
August 17, 2007
Is it possible to configure ACLs including service ACLs in the target designer? We would like to avoid as many manual steps as possible. ThanksAnonymous
October 19, 2009
Quite inspiring, Great tips for applying TCP/IP all users XP, Thanks for sharing Keep up the good workAnonymous
June 18, 2012
Good Solution Thanks