Link to home
Create AccountLog in
Avatar of Member_2_3766735
Member_2_3766735

asked on

Restrict DHCP leases to Domain Users

I know that this has been asked plenty of times, but I haven't come across this twist to the question.

Every answer to the "restrict address leases to only domain users" has to do with implementing a device to do the task.

My question is different in that it asks "How can I manipulate the dhcp server address leases list via scripts?" Can someone point me in the right direction? I've had a look at netsh, and I'm not sure if it can do what I want done.

A script to go into the dhcp server's leases and delete an entry based on MAC address every 2 minutes.

Thank you all.
ASKER CERTIFIED SOLUTION
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Not unless you reserverd ALL of them - Not a brilliant idea and a nightmare to manage.
Ah, good thought,. Cleaver, but agree not practical.
I just thought of another reason for not zapping an IP lease, apart from the reasons already stated and the overhead implications - what about new machines that are being added to the domain - you don't suddenly want their IP zapped in the middle of the joining domain process do you?

On balance I dont think any method of trying to restrict DHCP assignment is practical, nor is it especially useful or indeed desireable.
I suppose you could play with User Class ID's. With user Class ID's you set up a DHCP User Class ID scope with the appropriate DHCP options. Then on the client machine you set the Class ID. In order to obtain DHCP from that Scope the Class ID must match. However, it is a bit of a pain because you have to run the ipconfig /setclassid  command on any computer before it can get it's DHCP configuration from the server. Where it cannot obtain an IP, it cannot connect to the network, and therefore you cannot do it remotely.
http://support.microsoft.com/kb/240247/EN-US/
Good idea - but I can't really see the benefits being worth the cost of administering it.

What is the issue that we are trying so solve here?.

There is no direct security issue in non-domain clients getting IP addresses from DHCP. As far as I can see the only benefit to be got out of implementing ang DHCP restrictions would be to stop someone with access to the network launching a denial of service attack by soaking up all your DHCP leases which I don't rate very highly. If they want to bring down a domain there are more effective ways of doing it.
The only cases where I have seen practical use of denying access, are places like universities where they try to maintain control of the number of devices on the network. They also charge departments by the number of connections. However, in any institutional situation like that, the switches would be fully manageable, and configurable for MAC access control.

Have to agree the risks are pretty low. If someone wants access to your network, it shouldn't take them too long to figure out the subnet and assign a static IP. Even MAC filtering is a nightmare with universities, as students figure out how to clone MAC's. Duplicate MAC's can play havoc with your switched network.