Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Assign DHCP IP Addresses through Group Policy

Posted on 2013-11-29
12
Medium Priority
?
3,981 Views
Last Modified: 2013-11-30
Is it possible to setup a Group Policy to assign IP addresses through DHCP based on a users OU in Active Directory?  For example, if a user is in OU "users1" in Active Directory, DHCP would give them an IP address in the 192.168.1.1 - 192.168.1.100 range and if the user is in OU "users2" in Active Directory, DHCP would give them an IP address in the 192.168.1.101 - 192.168.1.200 range.  Is this possible using Group Policy?  If not, is there any way to do this?

This is on a Domain network using Windows Server 2008 R2 64-bit servers.  Users are on Windows 7 workstations.
0
Comment
Question by:David XF
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 9

Accepted Solution

by:
guswebb earned 2000 total points
ID: 39685805
Not really. The IP address is assigned to the machine, not the user. You could hack this by having an IP re-assigned after a user has logged in but it's not very elegant.

You could define your DHCP scope based on the machines used by those users in a given OU, assuming that's a static scenario of course.
0
 
LVL 11

Expert Comment

by:X_layer
ID: 39686020
You can create IP reservations based on MAC addresses of computers. Can't really remember other way to do this.
0
 
LVL 9

Expert Comment

by:guswebb
ID: 39686025
That's not what the OP is wanting to do but is indeed how you would go about assigning DHCP scope to have certain machines allocated IP addresses from a pre-defined range. This is not however user or OU-based as per the original request.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Expert Comment

by:X_layer
ID: 39686042
Well this is only way to get IP from desired scope. And I agree, you cannot create reservations based on OU membership (AFAIK, correct me if I'm wrong).
0
 

Author Comment

by:David XF
ID: 39686053
Unfortuantely, the two groups of users will be sharing computers, so we need a solution that is user-based instead of computer-based.  Which is why I'm stuck looking for a solution.

The users1 group will be connecting to one network while the users2 group will be connecting to a different network.  For security reasons, these two networks need to be kept completely separate.  An idea was to setup ACLs on the switch based on IP addresses so that users1 only have access to one VLAN and users2 only have access to another VLAN.  But if we can't assign the IP addresses by user, then it doesn't look like that solution is going to work.
0
 
LVL 9

Expert Comment

by:guswebb
ID: 39686059
What exactly are you wanting to keep separate for the two user groups? Files/folders? Access to certain servers?
0
 

Author Comment

by:David XF
ID: 39686072
Two separate XenApp servers, each on their own separate VLAN.  This is in a hostipal environment dealing with patient information, so the security requirements are very strict.  Users from one group cannot have any access to the other group's XenApp server, even the XenApp logon screen.
0
 
LVL 9

Expert Comment

by:guswebb
ID: 39686102
I'm not so familiar with XenApp but how about you control the application shortcut presented to the users withing each OU via a logon script which you deploy via Group Policy bound to each OU? That way each time they launch the app they would only see the version of the application relevant to the OU that they are a member of.
0
 

Author Comment

by:David XF
ID: 39686117
I like this idea, but that idea was already rejected.  Users1 cannot be allowed to ping any IP address on the users2 network.  This means the restrictions need to be at the switch before it reaches the workstations.  (Like I said - very strict security requirements).
0
 
LVL 9

Expert Comment

by:guswebb
ID: 39686134
I'm not sure how you will achieve that whilst also allowing users to login from any machine. You need the control to be hardware based but can only administer a solution using software/logon scripts given the nature of mobility and hot desking.

You could always disable the ability to ping anything (Group Policy/hash restriction on cmd.exe and control Start menu content etc.) and couple that with my previous suggestion.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39686215
You can't do this as machines must have an IP before they can identify themselves (or users).  Software and access rights can be assigned and restricted via policies - you can use firewall rule between the VLANs to prevent ICMP (ping) packets.
0
 

Author Comment

by:David XF
ID: 39687701
Looks like the answer to my original question is "can't be done".  I'm going to close this and look for another solution.  Thanks.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question