How can I set a policy so non-admin users can add a route? In particular this is a VPN connection using OpenVPN, and OpenVPN must set some routes after connecting. It works when OpenVPN-GUI is run with admin rights, but I don't want my users to have admin rights. In Windows XP the solution was: Add the user to the local Network Administrator (or Network Operators) group, done, perfect solution. In Windows 7: Does not work, the users cannot set the route, they get "access denied" (to be more exact: "route addition failed using CreateIpForwardEntry: Zugriff verweigert [status=5 if_index=19]") Now which Group Policy do I have to change or set to allow changing routes for non-admin users? Or which part registry to I have to play with i.e. change access rights? I don't want to run the VPN as a service on a client machine too.

How can I set a policy so non-admin users can add a route? In particular this is a VPN connection using OpenVPN, and OpenVPN must set some routes after connecting. It works when OpenVPN-GUI is run with admin rights, but I don't want my users to have admin rights. In Windows XP the solution was: Add the user to the local Network Administrator (or Network Operators) group, done, perfect solution. In Windows 7: Does not work, the users cannot set the route, they get "access denied" (to be more exact: "route addition failed using CreateIpForwardEntry: Zugriff verweigert [status=5 if_index=19]") Now which Group Policy do I have to change or set to allow changing routes for non-admin users? Or which part registry to I have to play with i.e. change access rights? I don't want to run the VPN as a service on a client machine too. I am facing the same issue with the deployment of OpenVPN on 100+ client machines consisting of both Windows XP and Windows 7. The solution should be GPO-based. Really appreciate the support. Zain

This is just a guess as I've not had any time to test it out, but have you looked into potential problems with UAC? Maybe if you place your users into the Network Configuration Operators group, and turn off UAC, they'll have more luck?

I am facing the same issue with the deployment of OpenVPN on 100+ client machines consisting of both Windows XP and Windows 7. The solution should be GPO-based. Really appreciate the support. Zain The Solution for XP is simple, add to local network operators group. That can be controlled be GPO. But this doesn work for Vista/Win7.

This is just a guess as I've not had any time to test it out, but have you looked into potential problems with UAC? Maybe if you place your users into the Network Configuration Operators group, and turn off UAC, they'll have more luck? This is not the acceptable way, and that hint does not help. You can test/try it yourself by opening a DOS-box without admin rights and try to set a route manually.