This is a hard problem to solve today. You can do things like 802.1x so that devices have to authenticate before getting on the network however there are many obstacles here. The future direction is a solution called Network Access Protection (NAP) which is being worked on for then next generation of Windows, more details here: http://www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx . This will allow scenarios like you mention below where addresses will be given out but that the clients access to the network is restricted until he has met the requirements for using the network, i.e. a Statement of Health (SOH). Today the client has to have an address to bootstrap the network so your only course of action would be to use 802.1x which requires hardware that supports that functionality or to have reservations for all clients and no additional addresses available (this really is not workable in most environments and you might as well go static). Thanks, -Steve
________________________________ From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Thu 9/29/2005 8:53 AM To: [email protected] Subject: [ActiveDir] Stopping DHCP from issuing an address Dear List, We have a conference room which has a network port which is directly connected to the internet cloud so that visitors who want to hook up notebooks and get out can. That port does not allow network access. Yesterday, a department head asked us if one of his visitors could use that port and we said go-ahead. Next thing I know, there's a new PC on my network in a workgroup. An investigation revealed that this guest was taken to an open cubicle which had a PC turned off and he unplugged it and plugged his notebook in and now my DHCP server says, "Oh here's an address for you, live it up." This disturbs me. I was not aware of this problem in DHCP and thought that unless a PC was joined to the domain, it could not get an address or live on the network. But now that I think about it, I guess I somewhat understand as Workgroups need to be created and they will all need addresses. Nonetheless, is there a way to tell DHCP "Hey, NO ADDRESSES unless a Domain Administrator grants it?" Thanks in advance for any advice. RH ______________________________ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com ______________________________ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
