[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

DHCP server open to all

Posted on 2014-02-20
21
Medium Priority
?
193 Views
Last Modified: 2014-02-28
I have 17 DHCP servers in my environment.  We have some sites that need to be self sufficient, that's why we have such a large number.

I have 4 servers which anyone can administer.  Both my DHCP groups are empty and there are no obvious permission settings that says anyone can administer the server(s).  I and my co workers are at a loss here.  3 of these servers are R/O and one is a GC.

I need some other ideas thrown at me to look at this issue.
0
Comment
Question by:insyncguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 3
  • +1
21 Comments
 
LVL 80

Expert Comment

by:arnold
ID: 39875662
It is not clear what you are asking here for.  DHCP servers are setup once and really do not need further administration.
RO presumably refers to a DC (RODC)
Properly subdividing the IP segment, using super scopes, etc.
I.e. Setting up a segment with an excluded block that allows for static IP use usually for servers.

You need to post a question or provide some detail on what you are needing assistance with.
0
 
LVL 5

Expert Comment

by:Kwoof
ID: 39875698
Holy Cow! I can't picture the network configuration you have done to need 17 DHCP servers!

I ran a school with 20 classrooms that were all on their own subnet, but still had 1 main DHCP.

Anyway, I cannot grasp what you are asking for either?
0
 
LVL 80

Expert Comment

by:arnold
ID: 39875868
I believe it is not a single locale. I can see the possibility but not the question.

Is there a designated group/user to administer.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 5

Expert Comment

by:Kwoof
ID: 39875946
Now I am catching up!  We have too many meanings for our English words!  My mind had interpreted sites as websites, since I am in the middle of company project where they have about 30 different intranet websites at a single physical location!  I was not thinking multiple physical locations where each would need their own DHCP.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 39876690
I believe the question is "How can I control who can administer my DHCP servers?" But that's close to a random guess.

Tom
0
 
LVL 80

Expert Comment

by:arnold
ID: 39877115
The difficulty on that is that the "I have 4 servers which anyone can administer" ....

If everyone is a member of the domain admin, enterprise admin or server operators group they will have access.

Here are the default server roles.
http://technet.microsoft.com/en-us/library/cc756898%28v=WS.10%29.aspx

DHCP is usually a one time setup, unless you are looking at using DHCP allocated static IPS. (reserved IPs).
0
 

Author Comment

by:insyncguy
ID: 39877171
I know guys that is why this is so weird.  We are in charge of many locations in Alaska.  These many locations need to be independent, hence the large number of DHCP servers and our transportations sites are included too.
Of all the DHCP servers we have, these 4 are able to be administered by anyone.  the user can create a reservation, change IP ranges and of course, delete a scope, (gasp!)  Why, since it's a one time setup?  And why just these 4?
Not Everyone is a member of the Domain Admins, Enterprise Admins or Server admins group.  I do know what I need to know on how to control who administrates.  The two DHCP AD groups are empty of members.  All DHCP servers are on DC's... but none of those DC's allow Everyone or Authenticated users to admin the server.  If that was the case then all the servers could be administered and not just these 4.  Like you say it's a one time setup for DHCP server...
DHCP servers are setup once and really do not need further administration.  I agree Arnold.  That is why I need to see how these 4 are different...
let me know what further assistance you need...thanks
0
 
LVL 5

Expert Comment

by:Kwoof
ID: 39877200
I think I am beginning to see the question...

why are these 4 server able to be administered by anyone, even though the users are not in any of the admin groups.

Are all the servers on a single domain over a WAN, or are they all independent?
Are the users allowed to logon to the server?
Are the users logging in with domain accounts, or their own local machine accounts?
0
 
LVL 80

Expert Comment

by:arnold
ID: 39877205
There might be a DACL delegation of authority via GPO security.

usually, only administrative users can login into the DC as you know.  If anyone can login, that suggests that the Default Domain controller GPO has been modified removing the restriction.

User rights assignment.

Using GPMC on one of the four and see what settings and from which GPO these settings are set.

You could also have a loopback policy that reasserts the users settings on logon to these server and thus grants them this access.

There are several possibilities, and unfortunately, other than looking at the users/system settings.
0
 

Author Comment

by:insyncguy
ID: 39877238
KWOOF,
Are all the servers on a single domain over a WAN, or are they all independent? Single domain over MPLS connection
Are the users allowed to logon to the server?  My regular account is able to log in to one of the servers.  (I have two accounts, one Domain Admin, one not)
Are the users logging in with domain accounts, or their own local machine accounts?  domain accounts.  We have very few local accounts and those would be service accounts.
ARNOLD,
I will look at the GPO and see what might be up.  I have already looked at the local security settings but didn't see anything obvious.
0
 
LVL 80

Expert Comment

by:arnold
ID: 39877312
In a single domain structure, you presumably have the different locations defined as their own OUs (computers/users) see whether the computers OUs have a delegation of control to "domain users" etc.

http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
0
 

Author Comment

by:insyncguy
ID: 39878216
ARNOLD
I downloaded LIZA and did a search for "domain users" nor any other broad group, but alas only domain admins and enterprise admins.  I did see one group with full permissions to computer with plain users in it, but that group is in an OU were the DHCP server cannot be administered by anyone...so that's not it.

thanks

Now did find a couple of groups that included both my regular and DA account.  Hurray!! I will keep this open until we decide how to proceed.  Thanks Arnold.
0
 

Author Comment

by:insyncguy
ID: 39892530
Nope. took out he permission and still our regular non domain accounts have access to 4 of our 17 DHCP servers
0
 
LVL 80

Expert Comment

by:arnold
ID: 39895335
Access to servers meaning they can login onto the server console/remotely?

Or they can make changes to the DHCP servers' configuration?

Check the local groups to see whether domain groups have been added in.
0
 

Author Comment

by:insyncguy
ID: 39895375
ARNOLD, thanks.
Our regular users cannot access the server.  We here in IT have two logons, one Domain Admin, one not.  Our regular, non domain admin, ID can in fact log onto these 4 servers and make DHCP server config changes.
All local groups are empty...the DHCP ones...
0
 
LVL 80

Expert Comment

by:arnold
ID: 39895449
Non domain means, local user? what rights does the local user have on the local system?
There must be a GPO/rights assignment that grants this non-admin user rights.
0
 

Author Comment

by:insyncguy
ID: 39895492
non domain means, domain user.  We don't have local users on the servers.  And man, I have been looking through GPO/rights assignments and have yet to find anyting.  (gurr)
0
 
LVL 80

Accepted Solution

by:
arnold earned 1200 total points
ID: 39895515
Try the following.
Using GPMC on one of the DC.  Run a Group Policy Results wizard against one of these servers and the local user. The rights is either granted via a GPO or it is granted locally on the server.

Login locally and run gpresults /v /user this_username | more


One way to stop the "treasure hunt" Create a new local user for non-admin admin use.
Check to make sure it has the requisite rights that you need.  Then deactivate the old non-admin admin user.
0
 

Author Comment

by:insyncguy
ID: 39896394
Thanks ARNOLD,
We found the issue, AD property of the DC, there is the Managed By tab, these servers contained a group which contained both our regular accounts and our Domain Admin accounts.  I removed the AD group from this proptery and the access was removed.

thanks for your assistance.
0
 

Author Comment

by:insyncguy
ID: 39896419
I've requested that this question be closed as follows:

Accepted answer: 0 points for insyncguy's comment #a39896394

for the following reason:

ARNOLD stayed with me through this issue.
0
 
LVL 80

Expert Comment

by:arnold
ID: 39896414
I'm sure you  were thinking of selecting some of my comments as helping you resolve this issue.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question