I have a Win2K based AD network with most of my clients being either XP or 2K Pro. The majority of my users are connected to a single LAN, with the rest of my client machines connecting from remote offices via VPN's. Occasionally, we have visitors - lawyers, auditors, clients who want to plug into our network to get Internet access. Sometimes they're good about asking permission, but more often than not, I find out about it because I see them in "My Network Places".

I'd like to enable a solution where foreign PC's can't get IP address unless we approve it. Ideally, it would work across the WAN, and would take into account the few machines that aren't AD aware - Windows Mobile devices, 9x, Mac and Linux boxes.

Our Cisco switch kinda has this ability, but that won't take care of the remote offices. I had heard stories of how MS has a system where if a machine does not meet certain patch levels, it is denied network access, and I was hoping to adapt that technology for this project.

Has anyone tried to implement this kind of solution and how successful was it?

I'm not a network expert, but do you have the capability to filter by MAC address? Perhaps by machine name if you follow a strict naming convention? Or you could disable DHCP and use a static-IP scheme.

I'm not a network expert, but do you have the capability to filter by MAC address? Perhaps by machine name if you follow a strict naming convention? Or you could disable DHCP and use a static-IP scheme.

Our office uses static IP addresses so if anyone wants to connect to the network, They need to get an address from me. It certainly is an option.

It would create a logistic hassle depending on the size of your network. My network was inherited with static IP so I have just run with it.

You would need to know how it would work with your remote offices, however.

(Good to see you back, Mr. Prahl)

There's a number possibilities apart from the ones Mark and David pointed out.

1. You could not only use static IP, you could also configure DHCP to only hand out addresses to Ethernet interfaces whose MAC addresses match those you expect.

2. You could sandwich a firewall/proxy between your network and your commodity Internet connection. Microsoft's solution in this space is ISA Server (http://www.microsoft.com/isaserver/), which is pretty flexible/slick -- it can be configured to require AD authentication before allowing Internet access. It does assume that a Windows Server box will be the "router/gatekeeper", though.

3. If you already have a firewall, you may be able to configure it to pass only certain IP and/or MAC addresses' traffic.

If you give more details, perhaps we can suggest a solution, but that's a start.

--janak