Matt said:
Some of our employees bring their own laptops to work, and join the
network to connect to the internet. Is it possible to detect (and
maybe prevent) when someone connects a computer (not a member of the
domain) to the network?
Thanks,
Matt
Since I mostly distribute DHCP addresses via a unix server, and the
human memory is failing, I may not be offering something that's possible
in Windows.
In Unix (specifically):
1) Create a new DHCP scope of IP addresses on the extreme end of your
subnet range. I.E: 172.16.0/24 is your normal network. Assign
172.16.0.200 through 172.16.0.254 (Can't use 255, it's the broadcast
address) to "unknown" clients -- clients that aren't specifically added
as a host declaration in the config file. A script can often bring
"existing leases" into "host declarations."
2) If the machine trying to access the network is 172.16.0.200 through
254, prevent or limit the outside access from that host.
Optionally, if the machine user is smart, he can "register" his laptop
with the corporate network to get normal internet access via a webpage
the corporation creates. This is something I've thought about doing in
a corporate environment, but haven't yet implemented it.
So, in Windows GUI interface, you'll have to find somewhere to create
static DHCP entries, or an otherwise "group" of computers. And anybody
outside of that group, gets the "visitor" range. #2 is totally
optional, but you will know what group that machine is simply by the IP
address it obtains.
