Solved

Assign DHCP IP Addresses through Group Policy

Posted on 2013-11-29
12
3,395 Views
Last Modified: 2013-11-30
Is it possible to setup a Group Policy to assign IP addresses through DHCP based on a users OU in Active Directory?  For example, if a user is in OU "users1" in Active Directory, DHCP would give them an IP address in the 192.168.1.1 - 192.168.1.100 range and if the user is in OU "users2" in Active Directory, DHCP would give them an IP address in the 192.168.1.101 - 192.168.1.200 range.  Is this possible using Group Policy?  If not, is there any way to do this?

This is on a Domain network using Windows Server 2008 R2 64-bit servers.  Users are on Windows 7 workstations.
0
Comment
Question by:David_XF
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 9

Accepted Solution

by:
guswebb earned 500 total points
ID: 39685805
Not really. The IP address is assigned to the machine, not the user. You could hack this by having an IP re-assigned after a user has logged in but it's not very elegant.

You could define your DHCP scope based on the machines used by those users in a given OU, assuming that's a static scenario of course.
0
 
LVL 11

Expert Comment

by:X_layer
ID: 39686020
You can create IP reservations based on MAC addresses of computers. Can't really remember other way to do this.
0
 
LVL 9

Expert Comment

by:guswebb
ID: 39686025
That's not what the OP is wanting to do but is indeed how you would go about assigning DHCP scope to have certain machines allocated IP addresses from a pre-defined range. This is not however user or OU-based as per the original request.
0
 
LVL 11

Expert Comment

by:X_layer
ID: 39686042
Well this is only way to get IP from desired scope. And I agree, you cannot create reservations based on OU membership (AFAIK, correct me if I'm wrong).
0
 

Author Comment

by:David_XF
ID: 39686053
Unfortuantely, the two groups of users will be sharing computers, so we need a solution that is user-based instead of computer-based.  Which is why I'm stuck looking for a solution.

The users1 group will be connecting to one network while the users2 group will be connecting to a different network.  For security reasons, these two networks need to be kept completely separate.  An idea was to setup ACLs on the switch based on IP addresses so that users1 only have access to one VLAN and users2 only have access to another VLAN.  But if we can't assign the IP addresses by user, then it doesn't look like that solution is going to work.
0
 
LVL 9

Expert Comment

by:guswebb
ID: 39686059
What exactly are you wanting to keep separate for the two user groups? Files/folders? Access to certain servers?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:David_XF
ID: 39686072
Two separate XenApp servers, each on their own separate VLAN.  This is in a hostipal environment dealing with patient information, so the security requirements are very strict.  Users from one group cannot have any access to the other group's XenApp server, even the XenApp logon screen.
0
 
LVL 9

Expert Comment

by:guswebb
ID: 39686102
I'm not so familiar with XenApp but how about you control the application shortcut presented to the users withing each OU via a logon script which you deploy via Group Policy bound to each OU? That way each time they launch the app they would only see the version of the application relevant to the OU that they are a member of.
0
 

Author Comment

by:David_XF
ID: 39686117
I like this idea, but that idea was already rejected.  Users1 cannot be allowed to ping any IP address on the users2 network.  This means the restrictions need to be at the switch before it reaches the workstations.  (Like I said - very strict security requirements).
0
 
LVL 9

Expert Comment

by:guswebb
ID: 39686134
I'm not sure how you will achieve that whilst also allowing users to login from any machine. You need the control to be hardware based but can only administer a solution using software/logon scripts given the nature of mobility and hot desking.

You could always disable the ability to ping anything (Group Policy/hash restriction on cmd.exe and control Start menu content etc.) and couple that with my previous suggestion.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39686215
You can't do this as machines must have an IP before they can identify themselves (or users).  Software and access rights can be assigned and restricted via policies - you can use firewall rule between the VLANs to prevent ICMP (ping) packets.
0
 

Author Comment

by:David_XF
ID: 39687701
Looks like the answer to my original question is "can't be done".  I'm going to close this and look for another solution.  Thanks.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now