DHCP scope and disable manually configuration

please i've ISA server and 100 pc behind ISA the users in my network all time change the ip address and this make conflict in the network ip's so i'm configured DHCP and maked scope for pc's by  mac address
i mean assigned stable ip address for the user pc by his mac address
but i've big proplem
the user can make manually configuration for the network card and put the ip's
please i want any solution prevent the users from making manuall configureation for network card ip's and accept only the DHCP.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Take away their admin rights on their local pc and they can't manually change the NIC anymore.

If someone has rights to locally set the IP, nothing you can do about it from a network or DHCP perspective.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
agreed, add their accounts to the "user" group and remove them from the administrators.
Hi,If you are in an Active Directory Domain, You can prevent them accessing the network settings using a group policy.

One problem with removing Admin rights is that it might effect other tasks they have to do on the PC, Although it will definately solve your problem!
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

My point is as long as they allowed/able to change NIC manually, nothing you can do to prevent the potential of duplicate IP addresses.
I don't know if this is what you want, but you can set rules on your server to drop all the connections whose IP - MAC pairs don't match any of the IP - MAC pairs you defined in your DHCP configuration.
emce, that would be impractical for a network of over 100 clients. at least that's my opinion
David SpigelmanPresident / CEOCommented:
I agree. That would mean DHCP reservations for every workstation, which sort of defeats the purpose of using DHCP in the first place.

I think Ian's got the best approach. Prevent them from mucking with the IP settings through Group Policy. The only thing is, I'm not sure where to find that in GP. I just looked.

The Group policy settings that effect network connections can be found under Userc Configuration/Administrative Templates/Network/Network Connections.

There are a whole bunch of things in there you can configure all to do with the network properties and stuff. Take a look and you should be able to work out what suits your environment best,

tata_softAuthor Commented:
hi all,
1st thx for replay
may be u don't know wht i mean exactly   the proplem if i maked DHCP server and maked my clients under this DHCP server
for example: if i actived the DHCP and maked reservation scope for client number 2 and assigned ip and detect it by mac address
this user can write the ip address manulally in the network tcp/ip  and may be change the ip to
and take the ip of client number 3 if client number 2 shutdown his pc
how i can prevent the user from make this fault.
>>how i can prevent the user from make this fault.

As I said, the only way to do it is to prevent them from changing their NIC config either by policy or rights.

There is nothing you can do with network equipment or a DHCP server - except invest in a substantial 802.1x port authentication infrastructure.
Better solution -- send interoffice memo, saying you have configured all systems to get an IP by DHCP.  If anyone change it to manual IP address without consulting you first, they will be fired.  That fix problem, immediately.  If not, next day, that person gone anyway.  They will soon learn.  Technology is to HELP people be productive, it was not invented to stop renegades from screwing with corporate network.  You need to enforce STRICT office policy, make all people responsible, and if they cant be, they get the AXE !
The group policy option is the best way, although because some inventive users might be able to get around it, remove their admin rights too. Then when they bitch, tell them the ones changing their IPs manually were ruining it for everyone else.

David SpigelmanPresident / CEOCommented:
I actually agree with scrathcyboy, and was thinking about saying something like that. But if tata_soft's company is like many that I've worked with, s/he doesn't have that kind of clout within the company. <sigh>

I think we do understand the problem tata. I think you may not be understanding the answer. Let me put it another way.

Group Policy is a way to centrally manage many of the things that network users can do. You can modify just about everything you can imagine, including things like what background image must be used on the users' desktops, and what text will be displayed when they try to log in.

One of the things you can modify with Group Policy, is control over the users' network settings. You can prevent them from changing those settings completely, as long as they are part of the domain.

This, I believe, would solve your problem.

First, you set up DHCP to handle your IP addressing. You allow it to hand out IP addresses for all but those resources you specifically need to have static addresses for. This means the users will not know what IP address they will each have at any given time, but unless there's a specific reason they need to, who cares? (Yes, you can manually assign the addresses, by reservation, but why do that?)

Now, your concern is that the users will just go around your settings, and change their IP addresses to whatever they want them to be. That's where Group Policy comes in. You prevent them from making any changes to their network settings. They simply won't be able to make the change.

Hope this helps.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apple Networking

From novice to tech pro — start learning today.