IT Employment

General discussion


DHCP - Active Directory

By dbkdorf ·
Does anyone know if it is possible to block DHCP requests from being processed to machines that are not listed in Active Directory.
My issue involves rogue machines coming into my network without permission..they see an empty outlet and just plug into it. We have a lot of vistitors in our building.
Maybe I am attacking this problem the wrong way but I would think you can block DHCP requests if the machine is not a member of the current Active Directory Computers.
If anyone knows how to do this or of another way of rogue machines plugging in, it would be greatly appreciated.

Doug Kasdorf
Network Administrator
Oceanworks International Corp

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

What about a firewall?

by pnmnelson In reply to DHCP - Active Directory

I am in school for this right now so bear that in mind with my answer. Do you have a firewall installed on your network? If I am understandiing your question you would just need to use the firewall to block those "outlets" the rouge machines are using. Hope this helps. If not e-mail me back and let me know so I can learn. Thanks.

Collapse -

re:DHCP and Active Directory

by dbkdorf In reply to What about a firewall?

Perhaps I wasn't clear enough in my original post.
The outlets the rogue computers are plugging into are scattered throughout our LAN. We have a firewall that separates our LAN from the outside world, but these outlets are all internal and they change on a regular basis. The reason for extra outlets is to allow users with mobile computers to plug in various locations. Hope that is clearer(er).

Collapse -

What do you NOT want them to do?

by R3D In reply to re:DHCP and Active Direct ...

Do you NOT want them to connect to your internal systems OR do you NOT want them to even get to the internet?

I assume your GUEST account is disabled? If you don't want them in your systems, then turning the guest account off is a step in the right direction, but if you want them to NOT get to the internet at all, (not reccommended), then you will have a load of trouble on your hands.

One company obtained all the MAC addresses of their systems and modified it in Policy so that only systems with said MACs could only logon and obtain access. You may try to setup a script to audit computer accounts in AD and if the MAC doesn't match what you have on the list, then disable it in AD. I'm not sure what the script would look like for this, but I'm sure you could find out, depending on what scripting language you chose.

If there is an easier way of doing this, it hasn't occured to me, or was more trouble than it was worth.

Good luck!


Related Discussions

Related Forums