How to Monitor Non-AD Joined Devices via Windows DHCP Server Logs and PowerShell


11 views

In enterprise environments, tracking unauthorized devices is critical for network security. While 802.1X provides robust authentication, many organizations need interim solutions to identify non-domain joined devices obtaining DHCP leases. The Windows DHCP server logs contain this information, but extracting it programmatically requires careful parsing.

We'll leverage PowerShell to:

  • Monitor DHCP server logs for new leases (Event ID 10)
  • Compare client hostnames against Active Directory
  • Generate alerts for unknown devices

Here's a complete PowerShell solution that runs as a scheduled task:


# DHCP Non-AD Device Monitor
$SMTPServer = "mail.yourdomain.com"
$EmailFrom = "dhcp-monitor@yourdomain.com"
$EmailTo = "admin@yourdomain.com"
$EventAge = (Get-Date).AddMinutes(-5) # Check last 5 minutes of events

$Events = Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-DHCP Server Audit/Operational'
    ID = 10
    StartTime = $EventAge
} -ErrorAction SilentlyContinue

$NonADDevices = @()

foreach ($Event in $Events) {
    $Xml = [xml]$Event.ToXml()
    $Hostname = ($Xml.Event.EventData.Data | Where-Object {$_.Name -eq "HostName"}).'#text'
    
    if (-not [string]::IsNullOrEmpty($Hostname)) {
        try {
            $ADComputer = Get-ADComputer -Identity $Hostname -ErrorAction Stop
        }
        catch {
            $NonADDevices += $Hostname
        }
    }
}

if ($NonADDevices.Count -gt 0) {
    $Subject = "ALERT: Non-AD devices detected on network"
    $Body = "The following non-domain joined devices received DHCP leases:nn"
    $Body += ($NonADDevices -join "n")
    
    Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $Subject -Body $Body -SmtpServer $SMTPServer
    Write-EventLog -LogName "Application" -Source "DHCP Monitor" -EntryType Warning -EventId 1001 -Message "Non-AD devices detected: $($NonADDevices -join ', ')"
}

For production use, consider these enhancements:

  • Run as a scheduled task every 5-10 minutes
  • Add error handling for DHCP server availability
  • Implement logging of all detection events
  • Consider rate limiting for alert emails

For environments with SIEM solutions:

  • Forward DHCP logs to Splunk/ELK
  • Create correlation searches for Event ID 10
  • Integrate with AD lookups via LDAP queries

This script is optimized for:

  • Minimal AD queries (only for non-cached hostnames)
  • Short event polling windows
  • Batch alerting to reduce email volume

In enterprise networks, visibility into non-domain joined devices obtaining DHCP leases is crucial for security monitoring when 802.1X isn't immediately implementable. The Windows DHCP server lacks native functionality to distinguish between domain-joined and non-domain devices during lease assignments.

We'll leverage PowerShell to create a real-time monitoring solution that:

  • Triggers on DHCP lease events (Event ID 10)
  • Validates device hostnames against AD
  • Generates alerts for unmanaged devices

# Required DHCP Server Audit Logging
Set-DhcpServerAuditLog -Enable $true -Path C:\Windows\System32\dhcp\

Create a scheduled task that runs this script continuously:


# DHCP Non-Domain Device Alert Script
$Query = @"
<QueryList>
  <Query Id="0" Path="Microsoft-Windows-DHCP Server Events/Operational">
    <Select Path="Microsoft-Windows-DHCP Server Events/Operational">
      *[System[EventID=10]]
    </Select>
  </Query>
</QueryList>
"@

$Action = {
    param($Event)
    $EventXML = [xml]$Event.ToXml()
    $Hostname = $EventXML.Event.EventData.Data | 
                Where-Object {$_.Name -eq "HostName"} | 
                Select-Object -ExpandProperty "#text"
    
    if ($Hostname -and -not (Get-ADComputer -Filter {Name -eq $Hostname} -ErrorAction SilentlyContinue)) {
        $LeaseIP = $EventXML.Event.EventData.Data | 
                   Where-Object {$_.Name -eq "IPAddress"} | 
                   Select-Object -ExpandProperty "#text"
        
        # Send email alert
        Send-MailMessage -To "security@domain.com" -From "dhcp_monitor@domain.com" 
                         -Subject "Non-domain device detected: $Hostname" 
                         -Body "Device $Hostname ($LeaseIP) obtained DHCP lease without AD registration" 
                         -SmtpServer "mail.domain.com"
        
        # Optional: Log to custom event log
        if (-not [System.Diagnostics.EventLog]::SourceExists("DHCP Monitor")) {
            New-EventLog -LogName "Application" -Source "DHCP Monitor"
        }
        Write-EventLog -LogName "Application" -Source "DHCP Monitor" 
                      -EntryType Warning -EventId 1001 
                      -Message "Non-domain device $Hostname obtained IP $LeaseIP"
    }
}

Register-WmiEvent -Query $Query -Action $Action -SourceIdentifier "DHCPLeaseMonitor"

For environments with frequent lease events, consider periodic exports:


# Daily lease export and analysis
$Leases = Get-DhcpServerv4Lease -ComputerName $DHCPServer -ScopeId $ScopeID
$NonDomainDevices = $Leases | ForEach-Object {
    if (-not (Get-ADComputer -Filter "Name -eq '$($_.HostName)'" -ErrorAction SilentlyContinue)) {
        $_
    }
}

$NonDomainDevices | Export-Csv -Path "C:\DHCPReports\NonDomainDevices_$(Get-Date -Format yyyyMMdd).csv"
  • Add throttling logic if processing many events
  • Consider implementing a cache for recently checked devices
  • For large AD environments, use -Properties parameter with Get-ADComputer to minimize LDAP queries

The script can be extended to:

  • Create tickets via ITSM API
  • Trigger network quarantine actions
  • Update CMDB systems
  • Integrate with SIEM solutions