Announcement

Collapse
No announcement yet.

Force static IP at logon

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Force static IP at logon

    What is the most efficient way to force a static IP as a user logs into a domain? Our DC is a 2003 R2 machine. I would like to do this at the user level. I know I could create a separate logon script for each user but I'm sure there is a better route. I know very little about scripting(only simple batch files).

    Thanks!

  • #2
    Re: Force static IP at logon

    Why do you want to do this? Since the machine needs to be already on the network for the user to login, it will already have an IP address. If you really must, you can assign static IP addresses to your workstations - I am against this though as it's unnecessary in the majority of environments and just adds needless complexity.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Force static IP at logon

      Originally posted by gforceindustries View Post
      Why do you want to do this? Since the machine needs to be already on the network for the user to login, it will already have an IP address. If you really must, you can assign static IP addresses to your workstations - I am against this though as it's unnecessary in the majority of environments and just adds needless complexity.
      We have about 10 people with static IP addresses for remote desktop purposes. The rest are all dynamic. I know remote desktop can be done via vpn and that is the way I was doing it but they have no idea how to connect to a vpn from a foreign machine. They like having an RDP icon they can carry with them and use from anywhere. The dynamic machines I rarely have access to and it is hard to make any kind of change that requires me physically being there so I would like to be able to do it from the server.

      If you have a better suggestion for remote desktop then go ahead and shoot. My ears are alway open.

      Comment


      • #4
        Re: Force static IP at logon

        Aha, now we have some more detail.

        I believe you can assign their IP address via the Terminal Services tab of their profile in ADUC.
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: Force static IP at logon

          Originally posted by gforceindustries View Post
          Aha, now we have some more detail.

          I believe you can assign their IP address via the Terminal Services tab of their profile in ADUC.
          Thanks for the quick replies. I'm not seeing it in there. The only options I see are to change profile paths. I went through the rest of the user properties tabs and could not find anything. I may just have to do a logon script for each user. That would be quicker than approaching each workstation and physically changing it.

          Comment


          • #6
            Re: Force static IP at logon

            My bad, sorry, it may be in the VPN configuration panel of RRaS I'm thinking. I'm very tired...

            A logon script would probably fail as it requires administrative rights to change the machine's IP address. Instead of making the users local administrators, consider using something like runas to run the script as an administrator. Better yet, use something like lsrunase (not free, but well worth the money) which takes the administrator password as a parameter in encrypted form, so the users only see the ciphertext rather than the plaintext password. And then to prevent the users from seeing the ciphertext (which they could use with lsrunase to run other processes as an administrator), either compile the script to an exe (if it's a batch file) or encrypt it if it's a VBS.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: Force static IP at logon

              I am not really getting this at all.

              From what I understand though, and shoot me if I am wrong, you just want to assign certain PCs static IP addresses without having to go there?

              Why don't you just add a reservation on your DHCP server for each said MAC address?

              You can remote into registry and add the parameter there also.

              I think you may need to explain your situation a little clearly. Your position now, and your expected end result.

              Thanks!

              Ste
              Steven Roberts
              IT Mercenary

              MCITP:EA|MCTS|MCSE 2003 (Messaging and Security)|MCSA 2003 (Messaging and Security)|MCP|Prince2 Practitioner

              Don't forget to click on the Yin-Yang icon to leave reputation points if you think my advice has been worthwhile!

              Comment


              • #8
                Re: Force static IP at logon

                There should be an option under the Dial In tab Under the User account properties to asign a Static IP.
                Caesar's cipher - 3

                ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                SFX JNRS FC U6 MNGR

                Comment


                • #9
                  Re: Force static IP at logon

                  Originally posted by gforceindustries View Post
                  My bad, sorry, it may be in the VPN configuration panel of RRaS I'm thinking. I'm very tired...

                  A logon script would probably fail as it requires administrative rights to change the machine's IP address. Instead of making the users local administrators, consider using something like runas to run the script as an administrator. Better yet, use something like lsrunase (not free, but well worth the money) which takes the administrator password as a parameter in encrypted form, so the users only see the ciphertext rather than the plaintext password. And then to prevent the users from seeing the ciphertext (which they could use with lsrunase to run other processes as an administrator), either compile the script to an exe (if it's a batch file) or encrypt it if it's a VBS.
                  Thanks! That's a lot of good info. The script would work because domain users are all gives local admin rights to their machines. The original system engineers set it up this way because the management decided to grant full access so there is nothing holding employees back from getting their jobs done. This seems like a huge security issue to me since potentially anyone can get into anyones computer if they know what they are doing. I'm looking into a more secure way of doing this.

                  After thinking about it, I'm not sure I want to use a logon script just for the simple fact that if a user logs on to another computer(which is rare) it would result in an ip conflict. Unless I created a logoff script that changed them back to DHCP but that seems a little clunky.

                  Originally posted by Ste View Post
                  Why don't you just add a reservation on your DHCP server for each said MAC address?

                  You can remote into registry and add the parameter there also.

                  I think you may need to explain your situation a little clearly. Your position now, and your expected end result.
                  First off here is the basic situation. I've got around 30 users each with their own computer. Some with 2 computers. Most of our management uses static ip addresses for remote desktop purposes. More and more people are wanting access to remote desktop so I am just going to switch everyone over to static. So yes you were right. I am looking for an easy way of changing their IP address without touching their machines. Since domain users have local admin rights the remote registry solution should work. For some reason the remote registry service was disabled on about half of the computers so I added a line to the logon.bat to enable this service. Once I get all of the Static addresses set up I will probably disable this service for now because with everyone having admin access to each others machines they could get into each others registries.

                  Originally posted by L4ndy View Post
                  There should be an option under the Dial In tab Under the User account properties to asign a Static IP.
                  Isn't this for VPN connections?

                  Comment


                  • #10
                    Re: Force static IP at logon

                    FYI you can control the members of local groups with GPO ('Restricted Groups' policy).


                    Originally posted by gforceindustries View Post
                    it requires administrative rights to change the machine's IP address. ...
                    Membership of the local Network Configuration Operators group will give the users the ability to modify the TCP/IP properties without making them local admin.

                    _

                    Personally I would choose to make reservations in DHCP for the computers.
                    Alternatively, use a computer startup script instead of a user logonscript: Use a VBScript that read a computer--ip-addres list then check whether or not the computer already have that IP addres. If not then set the IP, Default Gateway, DNS server(s) and dns suffix. Release IP, Refresh and Registerdns.



                    \Rems

                    This posting is provided "AS IS" with no warranties, and confers no rights.

                    __________________

                    ** Remember to give credit where credit's due **
                    and leave Reputation Points for meaningful posts

                    Comment

                    Working...
                    X