We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


DHCP scope and disable manually configuration

Medium Priority
Last Modified: 2013-11-13
please i've ISA server and 100 pc behind ISA the users in my network all time change the ip address and this make conflict in the network ip's so i'm configured DHCP and maked scope for pc's by  mac address
i mean assigned stable ip address for the user pc by his mac address
but i've big proplem
the user can make manually configuration for the network card and put the ip's
please i want any solution prevent the users from making manuall configureation for network card ip's and accept only the DHCP.
Watch Question

Top Expert 2004
Take away their admin rights on their local pc and they can't manually change the NIC anymore.

If someone has rights to locally set the IP, nothing you can do about it from a network or DHCP perspective.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
agreed, add their accounts to the "user" group and remove them from the administrators.
Hi,If you are in an Active Directory Domain, You can prevent them accessing the network settings using a group policy.

One problem with removing Admin rights is that it might effect other tasks they have to do on the PC, Although it will definately solve your problem!
Top Expert 2004

My point is as long as they allowed/able to change NIC manually, nothing you can do to prevent the potential of duplicate IP addresses.
I don't know if this is what you want, but you can set rules on your server to drop all the connections whose IP - MAC pairs don't match any of the IP - MAC pairs you defined in your DHCP configuration.

emce, that would be impractical for a network of over 100 clients. at least that's my opinion
David SpigelmanPresident / CEO

I agree. That would mean DHCP reservations for every workstation, which sort of defeats the purpose of using DHCP in the first place.

I think Ian's got the best approach. Prevent them from mucking with the IP settings through Group Policy. The only thing is, I'm not sure where to find that in GP. I just looked.

The Group policy settings that effect network connections can be found under Userc Configuration/Administrative Templates/Network/Network Connections.

There are a whole bunch of things in there you can configure all to do with the network properties and stuff. Take a look and you should be able to work out what suits your environment best,



hi all,
1st thx for replay
may be u don't know wht i mean exactly   the proplem if i maked DHCP server and maked my clients under this DHCP server
for example: if i actived the DHCP and maked reservation scope for client number 2 and assigned ip and detect it by mac address
this user can write the ip address manulally in the network tcp/ip  and may be change the ip to
and take the ip of client number 3 if client number 2 shutdown his pc
how i can prevent the user from make this fault.
Top Expert 2004

>>how i can prevent the user from make this fault.

As I said, the only way to do it is to prevent them from changing their NIC config either by policy or rights.

There is nothing you can do with network equipment or a DHCP server - except invest in a substantial 802.1x port authentication infrastructure.
Better solution -- send interoffice memo, saying you have configured all systems to get an IP by DHCP.  If anyone change it to manual IP address without consulting you first, they will be fired.  That fix problem, immediately.  If not, next day, that person gone anyway.  They will soon learn.  Technology is to HELP people be productive, it was not invented to stop renegades from screwing with corporate network.  You need to enforce STRICT office policy, make all people responsible, and if they cant be, they get the AXE !
The group policy option is the best way, although because some inventive users might be able to get around it, remove their admin rights too. Then when they bitch, tell them the ones changing their IPs manually were ruining it for everyone else.

David SpigelmanPresident / CEO
I actually agree with scrathcyboy, and was thinking about saying something like that. But if tata_soft's company is like many that I've worked with, s/he doesn't have that kind of clout within the company. <sigh>

I think we do understand the problem tata. I think you may not be understanding the answer. Let me put it another way.

Group Policy is a way to centrally manage many of the things that network users can do. You can modify just about everything you can imagine, including things like what background image must be used on the users' desktops, and what text will be displayed when they try to log in.

One of the things you can modify with Group Policy, is control over the users' network settings. You can prevent them from changing those settings completely, as long as they are part of the domain.

This, I believe, would solve your problem.

First, you set up DHCP to handle your IP addressing. You allow it to hand out IP addresses for all but those resources you specifically need to have static addresses for. This means the users will not know what IP address they will each have at any given time, but unless there's a specific reason they need to, who cares? (Yes, you can manually assign the addresses, by reservation, but why do that?)

Now, your concern is that the users will just go around your settings, and change their IP addresses to whatever they want them to be. That's where Group Policy comes in. You prevent them from making any changes to their network settings. They simply won't be able to make the change.

Hope this helps.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.