Solved

DHCP server open to all

Posted on 2014-02-20
21
175 Views
Last Modified: 2014-02-28
I have 17 DHCP servers in my environment.  We have some sites that need to be self sufficient, that's why we have such a large number.

I have 4 servers which anyone can administer.  Both my DHCP groups are empty and there are no obvious permission settings that says anyone can administer the server(s).  I and my co workers are at a loss here.  3 of these servers are R/O and one is a GC.

I need some other ideas thrown at me to look at this issue.
0
Comment
Question by:insyncguy
  • 9
  • 8
  • 3
  • +1
21 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 39875662
It is not clear what you are asking here for.  DHCP servers are setup once and really do not need further administration.
RO presumably refers to a DC (RODC)
Properly subdividing the IP segment, using super scopes, etc.
I.e. Setting up a segment with an excluded block that allows for static IP use usually for servers.

You need to post a question or provide some detail on what you are needing assistance with.
0
 
LVL 5

Expert Comment

by:Kwoof
ID: 39875698
Holy Cow! I can't picture the network configuration you have done to need 17 DHCP servers!

I ran a school with 20 classrooms that were all on their own subnet, but still had 1 main DHCP.

Anyway, I cannot grasp what you are asking for either?
0
 
LVL 77

Expert Comment

by:arnold
ID: 39875868
I believe it is not a single locale. I can see the possibility but not the question.

Is there a designated group/user to administer.
0
 
LVL 5

Expert Comment

by:Kwoof
ID: 39875946
Now I am catching up!  We have too many meanings for our English words!  My mind had interpreted sites as websites, since I am in the middle of company project where they have about 30 different intranet websites at a single physical location!  I was not thinking multiple physical locations where each would need their own DHCP.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 39876690
I believe the question is "How can I control who can administer my DHCP servers?" But that's close to a random guess.

Tom
0
 
LVL 77

Expert Comment

by:arnold
ID: 39877115
The difficulty on that is that the "I have 4 servers which anyone can administer" ....

If everyone is a member of the domain admin, enterprise admin or server operators group they will have access.

Here are the default server roles.
http://technet.microsoft.com/en-us/library/cc756898%28v=WS.10%29.aspx

DHCP is usually a one time setup, unless you are looking at using DHCP allocated static IPS. (reserved IPs).
0
 

Author Comment

by:insyncguy
ID: 39877171
I know guys that is why this is so weird.  We are in charge of many locations in Alaska.  These many locations need to be independent, hence the large number of DHCP servers and our transportations sites are included too.
Of all the DHCP servers we have, these 4 are able to be administered by anyone.  the user can create a reservation, change IP ranges and of course, delete a scope, (gasp!)  Why, since it's a one time setup?  And why just these 4?
Not Everyone is a member of the Domain Admins, Enterprise Admins or Server admins group.  I do know what I need to know on how to control who administrates.  The two DHCP AD groups are empty of members.  All DHCP servers are on DC's... but none of those DC's allow Everyone or Authenticated users to admin the server.  If that was the case then all the servers could be administered and not just these 4.  Like you say it's a one time setup for DHCP server...
DHCP servers are setup once and really do not need further administration.  I agree Arnold.  That is why I need to see how these 4 are different...
let me know what further assistance you need...thanks
0
 
LVL 5

Expert Comment

by:Kwoof
ID: 39877200
I think I am beginning to see the question...

why are these 4 server able to be administered by anyone, even though the users are not in any of the admin groups.

Are all the servers on a single domain over a WAN, or are they all independent?
Are the users allowed to logon to the server?
Are the users logging in with domain accounts, or their own local machine accounts?
0
 
LVL 77

Expert Comment

by:arnold
ID: 39877205
There might be a DACL delegation of authority via GPO security.

usually, only administrative users can login into the DC as you know.  If anyone can login, that suggests that the Default Domain controller GPO has been modified removing the restriction.

User rights assignment.

Using GPMC on one of the four and see what settings and from which GPO these settings are set.

You could also have a loopback policy that reasserts the users settings on logon to these server and thus grants them this access.

There are several possibilities, and unfortunately, other than looking at the users/system settings.
0
 

Author Comment

by:insyncguy
ID: 39877238
KWOOF,
Are all the servers on a single domain over a WAN, or are they all independent? Single domain over MPLS connection
Are the users allowed to logon to the server?  My regular account is able to log in to one of the servers.  (I have two accounts, one Domain Admin, one not)
Are the users logging in with domain accounts, or their own local machine accounts?  domain accounts.  We have very few local accounts and those would be service accounts.
ARNOLD,
I will look at the GPO and see what might be up.  I have already looked at the local security settings but didn't see anything obvious.
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 
LVL 77

Expert Comment

by:arnold
ID: 39877312
In a single domain structure, you presumably have the different locations defined as their own OUs (computers/users) see whether the computers OUs have a delegation of control to "domain users" etc.

http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
0
 

Author Comment

by:insyncguy
ID: 39878216
ARNOLD
I downloaded LIZA and did a search for "domain users" nor any other broad group, but alas only domain admins and enterprise admins.  I did see one group with full permissions to computer with plain users in it, but that group is in an OU were the DHCP server cannot be administered by anyone...so that's not it.

thanks

Now did find a couple of groups that included both my regular and DA account.  Hurray!! I will keep this open until we decide how to proceed.  Thanks Arnold.
0
 

Author Comment

by:insyncguy
ID: 39892530
Nope. took out he permission and still our regular non domain accounts have access to 4 of our 17 DHCP servers
0
 
LVL 77

Expert Comment

by:arnold
ID: 39895335
Access to servers meaning they can login onto the server console/remotely?

Or they can make changes to the DHCP servers' configuration?

Check the local groups to see whether domain groups have been added in.
0
 

Author Comment

by:insyncguy
ID: 39895375
ARNOLD, thanks.
Our regular users cannot access the server.  We here in IT have two logons, one Domain Admin, one not.  Our regular, non domain admin, ID can in fact log onto these 4 servers and make DHCP server config changes.
All local groups are empty...the DHCP ones...
0
 
LVL 77

Expert Comment

by:arnold
ID: 39895449
Non domain means, local user? what rights does the local user have on the local system?
There must be a GPO/rights assignment that grants this non-admin user rights.
0
 

Author Comment

by:insyncguy
ID: 39895492
non domain means, domain user.  We don't have local users on the servers.  And man, I have been looking through GPO/rights assignments and have yet to find anyting.  (gurr)
0
 
LVL 77

Accepted Solution

by:
arnold earned 400 total points
ID: 39895515
Try the following.
Using GPMC on one of the DC.  Run a Group Policy Results wizard against one of these servers and the local user. The rights is either granted via a GPO or it is granted locally on the server.

Login locally and run gpresults /v /user this_username | more


One way to stop the "treasure hunt" Create a new local user for non-admin admin use.
Check to make sure it has the requisite rights that you need.  Then deactivate the old non-admin admin user.
0
 

Author Comment

by:insyncguy
ID: 39896394
Thanks ARNOLD,
We found the issue, AD property of the DC, there is the Managed By tab, these servers contained a group which contained both our regular accounts and our Domain Admin accounts.  I removed the AD group from this proptery and the access was removed.

thanks for your assistance.
0
 

Author Comment

by:insyncguy
ID: 39896419
I've requested that this question be closed as follows:

Accepted answer: 0 points for insyncguy's comment #a39896394

for the following reason:

ARNOLD stayed with me through this issue.
0
 
LVL 77

Expert Comment

by:arnold
ID: 39896414
I'm sure you  were thinking of selecting some of my comments as helping you resolve this issue.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now