Announcement

Collapse
No announcement yet.

deny getting an IP from DHCP

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • deny getting an IP from DHCP

    HI all,
    is there a way to deny getting an IP from DHCP server those people who are not logged in domain ? ( they are logging localy and having all except getting GPO ).

    thanks,

  • #2
    Re: deny getting an IP from DHCP

    How are they going to logon (contact a DC) without an IP address in the first place?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: deny getting an IP from DHCP

      If Users log on locally then they should not be allowed access onto the network as they would not be validated as users of the domain.

      if i log in locally on my pc i certainly cant access anything withour entering a username and password.

      Comment


      • #4
        Re: deny getting an IP from DHCP

        Win 2003 http://support.microsoft.com/kb/240247/EN-US/
        Win 2000 http://support.microsoft.com/default...b;en-us;235272

        From Microsoft Knowledge Base article Q240247, here's how to set up a DHCP class:

        Create a New User or Vendor Option Class

        Start DHCP Manager.
        In the console tree, click the applicable DHCP server branch.
        Right-click the server, and then click Define User Classes to create a new user class, or click Define Vendor Classes to create a new vendor class.
        Click Add.
        In the New Class dialog box, type a descriptive identifying name for the new option in the Display name box. You may also add additional information to the Description box.
        Type in the data to be used by the DHCP Server service for matching the class ID provided by DHCP clients under ID or ASCII. To enter the data as hexadecimal byte numeric values, click the left side of the text box. To enter data as American Standard Code for Information Interchange (ASCII) text character values, click the right side of the text box.
        Click OK, and then click Close.
        Configure a DHCP Scope with the New Class ID

        In DHCP Manager, double-click the appropriate DHCP scope.
        Right-click Scope Options and then click Configure Options.
        Click Advanced.
        Click to select the check box or boxes next to the features you want to use with the new vendor or user class.
        Click OK.
        Set the Specified DHCP Class ID String for Client Computers

        Think that should be about right if im correct in what you want to do

        Comment


        • #5
          Re: deny getting an IP from DHCP

          DHCP runs on a lower level than Active Directory. So there is no way to not lease an IP adress to computer which is not part of the domain.

          But a creative mind finds a way to achive his goal

          What you can do, is create a scope for all your domain computers(Scope = domaincomputers), and set up reservations for all your domain computers. So all available IP's within the scope are reserverd for domain computers, and computers not part of the domain will not get an IP due to the fact that no IP's are available because all IP's are reserved.
          Last edited by Killerbe; 19th March 2008, 16:31.
          [Powershell]
          Start-DayDream
          Set-Location Malibu Beach
          Get-Drink
          Lay-Back
          Start-Sleep
          ....
          Wake-Up!
          Resume-Service
          Write-Warning
          [/Powershell]

          BLOG: Therealshrimp.blogspot.com

          Comment


          • #6
            Re: deny getting an IP from DHCP

            This is all true for non-domain computers... however for non-domain USERS logging into domain computers it gets a little more difficult.

            What you can do is, rather than not giving them IP addresses, remove their user accounts from the local computers by the use of a computer start-up script. Domain computers log on to the domain during startup - and execute a "startup script" if one exists which is provided by the domain. You can force all domain computers in an OU to execute a startup script in a GPO, and part of that script could be to delete all "local" user accounts apart from the defaults. You can also enforce a specific password for the local "Administrator" account via this script, and rename that account via GPO.

            This will prevent those users from ever logging on locally, and force them to always use domain-based accounts. It will also ensure that whenever they are using their computers, they are doing so in a way which meets company policy.


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: deny getting an IP from DHCP

              Can you explain what you're goal is?
              You're current question nearly can't be done or I've missed something.
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: deny getting an IP from DHCP

                Ossian , this was pretty cool ,( you are right )
                How are they going to logon (contact a DC) without an IP address in the first place?
                Can you explain what you're goal is?
                I want to make sure that all clients are logged in domain .
                Some of them are logging localy therefore are not getting GPOs regarding restrictions including : disabled local admin,restricted groups,proxy settings etc...

                PS. Will waiting for reply I had a case when all network printers listed in AD got dissapered and after some 5-6hrs came back !?!?! I have no idea what happened , since no error nowhere , in AD and in print cluster.

                Comment


                • #9
                  Re: deny getting an IP from DHCP

                  Originally posted by aa11 View Post
                  Will waiting for reply I had a case when all network printers listed in AD got dissapered and after some 5-6hrs came back !?!?! I have no idea what happened , since no error nowhere , in AD and in print cluster.
                  I know you said no errors, but have you checked the Event Viewer for a Print Spooler stoppage? If it stopped, printers disappear and when started again, printers back.
                  1 1 was a racehorse.
                  2 2 was 1 2.
                  1 1 1 1 race 1 day,
                  2 2 1 1 2

                  Comment


                  • #10
                    Re: deny getting an IP from DHCP

                    Originally posted by aa11 View Post
                    Ossian , this was pretty cool ,( you are right )


                    I want to make sure that all clients are logged in domain .
                    Some of them are logging localy therefore are not getting GPOs regarding restrictions including : disabled local admin,restricted groups,proxy settings etc...
                    Why not removing the local accounts and disabling the caching of the profile?
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: deny getting an IP from DHCP

                      sounds like a job for 802.1x or Server domain isolation to me.

                      Comment


                      • #12
                        Re: deny getting an IP from DHCP

                        Originally posted by Dumber View Post
                        Why not removing the local accounts and disabling the caching of the profile?
                        Agreed. Why do they have local accounts in the first place? Because of an old setup? If so, before you delete their local accounts, make sure you copy important docs and settings from their local account to their domain account.
                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment


                        • #13
                          Re: deny getting an IP from DHCP

                          thanks all for replies !
                          Why do they have local accounts in the first place? Because of an old setup?
                          Yes , they were there for long time.

                          Why not removing the local accounts and disabling the caching of the profile?
                          Yeah , this is what I'm going to do.( although there are too many of them ).

                          thanks all.

                          For printers :
                          I know you said no errors, but have you checked the Event Viewer for a Print Spooler stoppage? If it stopped, printers disappear and when started again, printers back.
                          No no , printer spooler was Ok, that's what it was very strange !

                          cheers,

                          Comment


                          • #14
                            Re: deny getting an IP from DHCP

                            Check my reply in post #6: you can enforce the removal of local accounts using a machine "startup" script - and that means that if they create them again they will be removed again - until they get bored of doing it.


                            Tom
                            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                            Anything you say will be misquoted and used against you

                            Comment


                            • #15
                              Re: deny getting an IP from DHCP

                              And for such a script you can start here:
                              http://www.microsoft.com/technet/scr....mspx?mfr=true
                              http://www.experts-exchange.com/OS/M..._21037829.html
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X