Active Directory restricting DHCP client address distribution

I have a windows 2003 server active directory network. My domain controller is also my dns and dhcp server. I would like to prevent users from just plugging in and getting an IP address. Can this be done with active directory?
gnosticgnowledgeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JoeWeb Application DeveloperCommented:
*I would like to prevent users from just plugging in and getting an IP address - Do you mean giving themselves a static IP or receiving DHCP address?

Joe
gnosticgnowledgeAuthor Commented:
Ok wasn't specific enough. Receiving a DHCP address from my DNS/DHCP/Domain Controller. Specifically, I need to know if I can use Active Directory to prevent someone from getting an address.
m1crochipCommented:
To prevent a domain computer from getting an address or a non-domain computer?  What are you trying to accomplish?
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

gnosticgnowledgeAuthor Commented:
To prevent a windows workstation configured as a dhcp client plugging into the network and getting an address. Come to think of it, I would like to stop someone from being able to give themselves a static address also.  To prevent a non-domain computer from getting an address. Domain Users can't add a machine to the domain.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
victornegriCommented:
You can set up IP reservations in the DHCP MMC. That is about the extent of DHCP security on Windows 2k3. If you want to go a step further, you can set up a 802.1x switch with a list of your approved computer's MAC addresses (somewhat difficult). This will prevent machines from even hitting the DHCP server if they're unauthorized.
PaawanCommented:


Hi,
    The security settings for Win 3k server applies after connecting to the server. But a client has to be issued an IP address prior to connecting to the server and applying the security policies. Hence I dont believe it would work with the DHCP setting on the server. You would need a network device for that and as stated above (Victornegri) you will have to use MAC addresses for restrictions.

But again you can masquerade the MAC address as well and get the connectivity to the network.

Any particular reason you would like to do this?
PaawanCommented:


You might check with an ISP how they control the IP address issuing as for them each IP address actually costs. When we do a dial-up the server asks for username and passord and only after that is an IP address issued.
savi0627Commented:
Are you tryng to prevent access to local resources or to the internet?
nickhillsCommented:
Sometimes the simple solutions are the best ones...

disable unused ports on the network, if your switches are managed, simply configure the unused ports to be offline, then if someone plugs in they cant access your local resources.

of course that dosent stop someone unplugging a currently connected device, and plugging there laptop in instead, to protect against that you will need an snmp script that will monitor MAC address usage, and disable ports if MAC addresses are seen to change.

if you don't have managed switches, there is always the low-tec answer - pull the spare cables out

regards,
Nick
PaawanCommented:
Hi,
    Have a look at this. I should tell you everything:

http://www.windowsecurity.com/articles/DHCP-Security-Part1.html
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.