Hi We have many DHCP servers in our network, all of them are domain controllers and win2k8r2. My problem is with the MAC address filter, so if we need to block a strange MAC address, I should add that MAC address to all my DHCP server Filter one by one . It's so hard for me. the principal command in my script is : psexec \\my-First-Win2K8R2-Server "netsh dhcp server v4 add filter deny mac-address" If I use this command with domain admin credentials in my script, it works. BUT without domain admin credentials, my script does not work. Regarding SOX rules consideration, I cannot use domain admin credentials. the script should be executed under special domain user account. My question, what can I do to allow the special account to run the script successfully from a domain workstation. Thansk for help

Have you tried to launch the script using credentials of a user member of DHCP administrators group? Please create a user account to test. Make it member of the DHCP administrators group and run this script using its credentials. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Thank you for your replay I have already added my special account (test1) to DHCP administrators AD group, but no success.

So what is the error that you are getting? This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Here is a copy/paste of the result. ------------------------ C:\MACFilter>addfilter.bat C:\MACFilter>psexec \\win2k8r2 "netsh dhcp server v4 add filter deny C8-0A-A9-BE -E1-30" PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com Couldn't access win2k8r2: Access is denied. C:\MACFilter> -----------------------

Just to test now. Please right-click on CMD and click on run as then specify the test user. Once done, execute the netsh command. The error is the same? This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

yes it show the same error, I did some research on internet I found that psexec uses the ADMIN$ admnistrative share, I tried to open the network & NTFS permissions page to check the permissions, the both buttons are disabled win2k8r2-DC / administrative tools / Share and Storage Management / Shares / Right-Click on ADMIN$ / Permissions. Both buttons are disabled ??!! How can I enable them ? Thanks

Hi Everyone did someone encountered this same situation. update many dhcp servers 2k8r2 filter DB using the netsh command like showed above ? Thanks

Why not use the allow instead of the deny? This works proactive. If they want a machine logging into the network it must pass IT and you have the time to allow it on all DHCPservers before returning the machine. At our site an unknown/new networkdevice must pass IT before getting on the network so we can check if it is OK (antivirus etc.).

I am in agreement with julekekrapuleke's suggestion. However, such decisions depends on Company mgmt's sole discretion. BTW, check out "DHCP Server Callout DLL" , this may help you ! http://www.petri.co.il/filter-mac-address-windows-server-2008-dhcp-server-callout-dll.htmThanks, Santosh (MCTS W2K8 AD and SCCM) To Infinity and Beyond