Solved

Assign DHCP IP Addresses through Group Policy

Posted on 2013-11-29
12
3,674 Views
Last Modified: 2013-11-30
Is it possible to setup a Group Policy to assign IP addresses through DHCP based on a users OU in Active Directory?  For example, if a user is in OU "users1" in Active Directory, DHCP would give them an IP address in the 192.168.1.1 - 192.168.1.100 range and if the user is in OU "users2" in Active Directory, DHCP would give them an IP address in the 192.168.1.101 - 192.168.1.200 range.  Is this possible using Group Policy?  If not, is there any way to do this?

This is on a Domain network using Windows Server 2008 R2 64-bit servers.  Users are on Windows 7 workstations.
0
Comment
Question by:David_XF
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 9

Accepted Solution

by:
guswebb earned 500 total points
ID: 39685805
Not really. The IP address is assigned to the machine, not the user. You could hack this by having an IP re-assigned after a user has logged in but it's not very elegant.

You could define your DHCP scope based on the machines used by those users in a given OU, assuming that's a static scenario of course.
0
 
LVL 11

Expert Comment

by:X_layer
ID: 39686020
You can create IP reservations based on MAC addresses of computers. Can't really remember other way to do this.
0
 
LVL 9

Expert Comment

by:guswebb
ID: 39686025
That's not what the OP is wanting to do but is indeed how you would go about assigning DHCP scope to have certain machines allocated IP addresses from a pre-defined range. This is not however user or OU-based as per the original request.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 11

Expert Comment

by:X_layer
ID: 39686042
Well this is only way to get IP from desired scope. And I agree, you cannot create reservations based on OU membership (AFAIK, correct me if I'm wrong).
0
 

Author Comment

by:David_XF
ID: 39686053
Unfortuantely, the two groups of users will be sharing computers, so we need a solution that is user-based instead of computer-based.  Which is why I'm stuck looking for a solution.

The users1 group will be connecting to one network while the users2 group will be connecting to a different network.  For security reasons, these two networks need to be kept completely separate.  An idea was to setup ACLs on the switch based on IP addresses so that users1 only have access to one VLAN and users2 only have access to another VLAN.  But if we can't assign the IP addresses by user, then it doesn't look like that solution is going to work.
0
 
LVL 9

Expert Comment

by:guswebb
ID: 39686059
What exactly are you wanting to keep separate for the two user groups? Files/folders? Access to certain servers?
0
 

Author Comment

by:David_XF
ID: 39686072
Two separate XenApp servers, each on their own separate VLAN.  This is in a hostipal environment dealing with patient information, so the security requirements are very strict.  Users from one group cannot have any access to the other group's XenApp server, even the XenApp logon screen.
0
 
LVL 9

Expert Comment

by:guswebb
ID: 39686102
I'm not so familiar with XenApp but how about you control the application shortcut presented to the users withing each OU via a logon script which you deploy via Group Policy bound to each OU? That way each time they launch the app they would only see the version of the application relevant to the OU that they are a member of.
0
 

Author Comment

by:David_XF
ID: 39686117
I like this idea, but that idea was already rejected.  Users1 cannot be allowed to ping any IP address on the users2 network.  This means the restrictions need to be at the switch before it reaches the workstations.  (Like I said - very strict security requirements).
0
 
LVL 9

Expert Comment

by:guswebb
ID: 39686134
I'm not sure how you will achieve that whilst also allowing users to login from any machine. You need the control to be hardware based but can only administer a solution using software/logon scripts given the nature of mobility and hot desking.

You could always disable the ability to ping anything (Group Policy/hash restriction on cmd.exe and control Start menu content etc.) and couple that with my previous suggestion.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 39686215
You can't do this as machines must have an IP before they can identify themselves (or users).  Software and access rights can be assigned and restricted via policies - you can use firewall rule between the VLANs to prevent ICMP (ping) packets.
0
 

Author Comment

by:David_XF
ID: 39687701
Looks like the answer to my original question is "can't be done".  I'm going to close this and look for another solution.  Thanks.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question