Solved

Assign DHCP IP Addresses through Group Policy

Posted on 2013-11-29
12
3,314 Views
Last Modified: 2013-11-30
Is it possible to setup a Group Policy to assign IP addresses through DHCP based on a users OU in Active Directory?  For example, if a user is in OU "users1" in Active Directory, DHCP would give them an IP address in the 192.168.1.1 - 192.168.1.100 range and if the user is in OU "users2" in Active Directory, DHCP would give them an IP address in the 192.168.1.101 - 192.168.1.200 range.  Is this possible using Group Policy?  If not, is there any way to do this?

This is on a Domain network using Windows Server 2008 R2 64-bit servers.  Users are on Windows 7 workstations.
0
Comment
Question by:David_XF
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 9

Accepted Solution

by:
guswebb earned 500 total points
Comment Utility
Not really. The IP address is assigned to the machine, not the user. You could hack this by having an IP re-assigned after a user has logged in but it's not very elegant.

You could define your DHCP scope based on the machines used by those users in a given OU, assuming that's a static scenario of course.
0
 
LVL 11

Expert Comment

by:X_layer
Comment Utility
You can create IP reservations based on MAC addresses of computers. Can't really remember other way to do this.
0
 
LVL 9

Expert Comment

by:guswebb
Comment Utility
That's not what the OP is wanting to do but is indeed how you would go about assigning DHCP scope to have certain machines allocated IP addresses from a pre-defined range. This is not however user or OU-based as per the original request.
0
 
LVL 11

Expert Comment

by:X_layer
Comment Utility
Well this is only way to get IP from desired scope. And I agree, you cannot create reservations based on OU membership (AFAIK, correct me if I'm wrong).
0
 

Author Comment

by:David_XF
Comment Utility
Unfortuantely, the two groups of users will be sharing computers, so we need a solution that is user-based instead of computer-based.  Which is why I'm stuck looking for a solution.

The users1 group will be connecting to one network while the users2 group will be connecting to a different network.  For security reasons, these two networks need to be kept completely separate.  An idea was to setup ACLs on the switch based on IP addresses so that users1 only have access to one VLAN and users2 only have access to another VLAN.  But if we can't assign the IP addresses by user, then it doesn't look like that solution is going to work.
0
 
LVL 9

Expert Comment

by:guswebb
Comment Utility
What exactly are you wanting to keep separate for the two user groups? Files/folders? Access to certain servers?
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 

Author Comment

by:David_XF
Comment Utility
Two separate XenApp servers, each on their own separate VLAN.  This is in a hostipal environment dealing with patient information, so the security requirements are very strict.  Users from one group cannot have any access to the other group's XenApp server, even the XenApp logon screen.
0
 
LVL 9

Expert Comment

by:guswebb
Comment Utility
I'm not so familiar with XenApp but how about you control the application shortcut presented to the users withing each OU via a logon script which you deploy via Group Policy bound to each OU? That way each time they launch the app they would only see the version of the application relevant to the OU that they are a member of.
0
 

Author Comment

by:David_XF
Comment Utility
I like this idea, but that idea was already rejected.  Users1 cannot be allowed to ping any IP address on the users2 network.  This means the restrictions need to be at the switch before it reaches the workstations.  (Like I said - very strict security requirements).
0
 
LVL 9

Expert Comment

by:guswebb
Comment Utility
I'm not sure how you will achieve that whilst also allowing users to login from any machine. You need the control to be hardware based but can only administer a solution using software/logon scripts given the nature of mobility and hot desking.

You could always disable the ability to ping anything (Group Policy/hash restriction on cmd.exe and control Start menu content etc.) and couple that with my previous suggestion.
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
You can't do this as machines must have an IP before they can identify themselves (or users).  Software and access rights can be assigned and restricted via policies - you can use firewall rule between the VLANs to prevent ICMP (ping) packets.
0
 

Author Comment

by:David_XF
Comment Utility
Looks like the answer to my original question is "can't be done".  I'm going to close this and look for another solution.  Thanks.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now