Assign DHCP IP Addresses through Group Policy

Is it possible to setup a Group Policy to assign IP addresses through DHCP based on a users OU in Active Directory?  For example, if a user is in OU "users1" in Active Directory, DHCP would give them an IP address in the 192.168.1.1 - 192.168.1.100 range and if the user is in OU "users2" in Active Directory, DHCP would give them an IP address in the 192.168.1.101 - 192.168.1.200 range.  Is this possible using Group Policy?  If not, is there any way to do this?

This is on a Domain network using Windows Server 2008 R2 64-bit servers.  Users are on Windows 7 workstations.
David XFSystems AdministratorAsked:
Who is Participating?
 
guswebbConnect With a Mentor Commented:
Not really. The IP address is assigned to the machine, not the user. You could hack this by having an IP re-assigned after a user has logged in but it's not very elegant.

You could define your DHCP scope based on the machines used by those users in a given OU, assuming that's a static scenario of course.
0
 
X_layerCommented:
You can create IP reservations based on MAC addresses of computers. Can't really remember other way to do this.
0
 
guswebbCommented:
That's not what the OP is wanting to do but is indeed how you would go about assigning DHCP scope to have certain machines allocated IP addresses from a pre-defined range. This is not however user or OU-based as per the original request.
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
X_layerCommented:
Well this is only way to get IP from desired scope. And I agree, you cannot create reservations based on OU membership (AFAIK, correct me if I'm wrong).
0
 
David XFSystems AdministratorAuthor Commented:
Unfortuantely, the two groups of users will be sharing computers, so we need a solution that is user-based instead of computer-based.  Which is why I'm stuck looking for a solution.

The users1 group will be connecting to one network while the users2 group will be connecting to a different network.  For security reasons, these two networks need to be kept completely separate.  An idea was to setup ACLs on the switch based on IP addresses so that users1 only have access to one VLAN and users2 only have access to another VLAN.  But if we can't assign the IP addresses by user, then it doesn't look like that solution is going to work.
0
 
guswebbCommented:
What exactly are you wanting to keep separate for the two user groups? Files/folders? Access to certain servers?
0
 
David XFSystems AdministratorAuthor Commented:
Two separate XenApp servers, each on their own separate VLAN.  This is in a hostipal environment dealing with patient information, so the security requirements are very strict.  Users from one group cannot have any access to the other group's XenApp server, even the XenApp logon screen.
0
 
guswebbCommented:
I'm not so familiar with XenApp but how about you control the application shortcut presented to the users withing each OU via a logon script which you deploy via Group Policy bound to each OU? That way each time they launch the app they would only see the version of the application relevant to the OU that they are a member of.
0
 
David XFSystems AdministratorAuthor Commented:
I like this idea, but that idea was already rejected.  Users1 cannot be allowed to ping any IP address on the users2 network.  This means the restrictions need to be at the switch before it reaches the workstations.  (Like I said - very strict security requirements).
0
 
guswebbCommented:
I'm not sure how you will achieve that whilst also allowing users to login from any machine. You need the control to be hardware based but can only administer a solution using software/logon scripts given the nature of mobility and hot desking.

You could always disable the ability to ping anything (Group Policy/hash restriction on cmd.exe and control Start menu content etc.) and couple that with my previous suggestion.
0
 
KCTSCommented:
You can't do this as machines must have an IP before they can identify themselves (or users).  Software and access rights can be assigned and restricted via policies - you can use firewall rule between the VLANs to prevent ICMP (ping) packets.
0
 
David XFSystems AdministratorAuthor Commented:
Looks like the answer to my original question is "can't be done".  I'm going to close this and look for another solution.  Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.