Solved

DHCP server open to all

Posted on 2014-02-20
21
169 Views
Last Modified: 2014-02-28
I have 17 DHCP servers in my environment.  We have some sites that need to be self sufficient, that's why we have such a large number.

I have 4 servers which anyone can administer.  Both my DHCP groups are empty and there are no obvious permission settings that says anyone can administer the server(s).  I and my co workers are at a loss here.  3 of these servers are R/O and one is a GC.

I need some other ideas thrown at me to look at this issue.
0
Comment
Question by:insyncguy
  • 9
  • 8
  • 3
  • +1
21 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
It is not clear what you are asking here for.  DHCP servers are setup once and really do not need further administration.
RO presumably refers to a DC (RODC)
Properly subdividing the IP segment, using super scopes, etc.
I.e. Setting up a segment with an excluded block that allows for static IP use usually for servers.

You need to post a question or provide some detail on what you are needing assistance with.
0
 
LVL 5

Expert Comment

by:Kwoof
Comment Utility
Holy Cow! I can't picture the network configuration you have done to need 17 DHCP servers!

I ran a school with 20 classrooms that were all on their own subnet, but still had 1 main DHCP.

Anyway, I cannot grasp what you are asking for either?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
I believe it is not a single locale. I can see the possibility but not the question.

Is there a designated group/user to administer.
0
 
LVL 5

Expert Comment

by:Kwoof
Comment Utility
Now I am catching up!  We have too many meanings for our English words!  My mind had interpreted sites as websites, since I am in the middle of company project where they have about 30 different intranet websites at a single physical location!  I was not thinking multiple physical locations where each would need their own DHCP.
0
 
LVL 27

Expert Comment

by:tliotta
Comment Utility
I believe the question is "How can I control who can administer my DHCP servers?" But that's close to a random guess.

Tom
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The difficulty on that is that the "I have 4 servers which anyone can administer" ....

If everyone is a member of the domain admin, enterprise admin or server operators group they will have access.

Here are the default server roles.
http://technet.microsoft.com/en-us/library/cc756898%28v=WS.10%29.aspx

DHCP is usually a one time setup, unless you are looking at using DHCP allocated static IPS. (reserved IPs).
0
 

Author Comment

by:insyncguy
Comment Utility
I know guys that is why this is so weird.  We are in charge of many locations in Alaska.  These many locations need to be independent, hence the large number of DHCP servers and our transportations sites are included too.
Of all the DHCP servers we have, these 4 are able to be administered by anyone.  the user can create a reservation, change IP ranges and of course, delete a scope, (gasp!)  Why, since it's a one time setup?  And why just these 4?
Not Everyone is a member of the Domain Admins, Enterprise Admins or Server admins group.  I do know what I need to know on how to control who administrates.  The two DHCP AD groups are empty of members.  All DHCP servers are on DC's... but none of those DC's allow Everyone or Authenticated users to admin the server.  If that was the case then all the servers could be administered and not just these 4.  Like you say it's a one time setup for DHCP server...
DHCP servers are setup once and really do not need further administration.  I agree Arnold.  That is why I need to see how these 4 are different...
let me know what further assistance you need...thanks
0
 
LVL 5

Expert Comment

by:Kwoof
Comment Utility
I think I am beginning to see the question...

why are these 4 server able to be administered by anyone, even though the users are not in any of the admin groups.

Are all the servers on a single domain over a WAN, or are they all independent?
Are the users allowed to logon to the server?
Are the users logging in with domain accounts, or their own local machine accounts?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
There might be a DACL delegation of authority via GPO security.

usually, only administrative users can login into the DC as you know.  If anyone can login, that suggests that the Default Domain controller GPO has been modified removing the restriction.

User rights assignment.

Using GPMC on one of the four and see what settings and from which GPO these settings are set.

You could also have a loopback policy that reasserts the users settings on logon to these server and thus grants them this access.

There are several possibilities, and unfortunately, other than looking at the users/system settings.
0
 

Author Comment

by:insyncguy
Comment Utility
KWOOF,
Are all the servers on a single domain over a WAN, or are they all independent? Single domain over MPLS connection
Are the users allowed to logon to the server?  My regular account is able to log in to one of the servers.  (I have two accounts, one Domain Admin, one not)
Are the users logging in with domain accounts, or their own local machine accounts?  domain accounts.  We have very few local accounts and those would be service accounts.
ARNOLD,
I will look at the GPO and see what might be up.  I have already looked at the local security settings but didn't see anything obvious.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 76

Expert Comment

by:arnold
Comment Utility
In a single domain structure, you presumably have the different locations defined as their own OUs (computers/users) see whether the computers OUs have a delegation of control to "domain users" etc.

http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
0
 

Author Comment

by:insyncguy
Comment Utility
ARNOLD
I downloaded LIZA and did a search for "domain users" nor any other broad group, but alas only domain admins and enterprise admins.  I did see one group with full permissions to computer with plain users in it, but that group is in an OU were the DHCP server cannot be administered by anyone...so that's not it.

thanks

Now did find a couple of groups that included both my regular and DA account.  Hurray!! I will keep this open until we decide how to proceed.  Thanks Arnold.
0
 

Author Comment

by:insyncguy
Comment Utility
Nope. took out he permission and still our regular non domain accounts have access to 4 of our 17 DHCP servers
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Access to servers meaning they can login onto the server console/remotely?

Or they can make changes to the DHCP servers' configuration?

Check the local groups to see whether domain groups have been added in.
0
 

Author Comment

by:insyncguy
Comment Utility
ARNOLD, thanks.
Our regular users cannot access the server.  We here in IT have two logons, one Domain Admin, one not.  Our regular, non domain admin, ID can in fact log onto these 4 servers and make DHCP server config changes.
All local groups are empty...the DHCP ones...
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Non domain means, local user? what rights does the local user have on the local system?
There must be a GPO/rights assignment that grants this non-admin user rights.
0
 

Author Comment

by:insyncguy
Comment Utility
non domain means, domain user.  We don't have local users on the servers.  And man, I have been looking through GPO/rights assignments and have yet to find anyting.  (gurr)
0
 
LVL 76

Accepted Solution

by:
arnold earned 400 total points
Comment Utility
Try the following.
Using GPMC on one of the DC.  Run a Group Policy Results wizard against one of these servers and the local user. The rights is either granted via a GPO or it is granted locally on the server.

Login locally and run gpresults /v /user this_username | more


One way to stop the "treasure hunt" Create a new local user for non-admin admin use.
Check to make sure it has the requisite rights that you need.  Then deactivate the old non-admin admin user.
0
 

Author Comment

by:insyncguy
Comment Utility
Thanks ARNOLD,
We found the issue, AD property of the DC, there is the Managed By tab, these servers contained a group which contained both our regular accounts and our Domain Admin accounts.  I removed the AD group from this proptery and the access was removed.

thanks for your assistance.
0
 

Author Comment

by:insyncguy
Comment Utility
I've requested that this question be closed as follows:

Accepted answer: 0 points for insyncguy's comment #a39896394

for the following reason:

ARNOLD stayed with me through this issue.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
I'm sure you  were thinking of selecting some of my comments as helping you resolve this issue.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Nessus scan 5 194
SID change in file permissions 3 88
Trident and Apple iOS upgrade 2 65
ost file to pst 10 49
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now