How to Monitor Non-AD Joined Devices via Windows DHCP Server Logs and PowerShell


2 views

In enterprise environments, tracking unauthorized devices is critical for network security. While 802.1X provides robust authentication, many organizations need interim solutions to identify non-domain joined devices obtaining DHCP leases. The Windows DHCP server logs contain this information, but extracting it programmatically requires careful parsing.

We'll leverage PowerShell to:

  • Monitor DHCP server logs for new leases (Event ID 10)
  • Compare client hostnames against Active Directory
  • Generate alerts for unknown devices

Here's a complete PowerShell solution that runs as a scheduled task:


# DHCP Non-AD Device Monitor
$SMTPServer = "mail.yourdomain.com"
$EmailFrom = "dhcp-monitor@yourdomain.com"
$EmailTo = "admin@yourdomain.com"
$EventAge = (Get-Date).AddMinutes(-5) # Check last 5 minutes of events

$Events = Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-DHCP Server Audit/Operational'
    ID = 10
    StartTime = $EventAge
} -ErrorAction SilentlyContinue

$NonADDevices = @()

foreach ($Event in $Events) {
    $Xml = [xml]$Event.ToXml()
    $Hostname = ($Xml.Event.EventData.Data | Where-Object {$_.Name -eq "HostName"}).'#text'
    
    if (-not [string]::IsNullOrEmpty($Hostname)) {
        try {
            $ADComputer = Get-ADComputer -Identity $Hostname -ErrorAction Stop
        }
        catch {
            $NonADDevices += $Hostname
        }
    }
}

if ($NonADDevices.Count -gt 0) {
    $Subject = "ALERT: Non-AD devices detected on network"
    $Body = "The following non-domain joined devices received DHCP leases:nn"
    $Body += ($NonADDevices -join "n")
    
    Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $Subject -Body $Body -SmtpServer $SMTPServer
    Write-EventLog -LogName "Application" -Source "DHCP Monitor" -EntryType Warning -EventId 1001 -Message "Non-AD devices detected: $($NonADDevices -join ', ')"
}

For production use, consider these enhancements:

  • Run as a scheduled task every 5-10 minutes
  • Add error handling for DHCP server availability
  • Implement logging of all detection events
  • Consider rate limiting for alert emails

For environments with SIEM solutions:

  • Forward DHCP logs to Splunk/ELK
  • Create correlation searches for Event ID 10
  • Integrate with AD lookups via LDAP queries

This script is optimized for:

  • Minimal AD queries (only for non-cached hostnames)
  • Short event polling windows
  • Batch alerting to reduce email volume

In enterprise networks, visibility into non-domain joined devices obtaining DHCP leases is crucial for security monitoring when 802.1X isn't immediately implementable. The Windows DHCP server lacks native functionality to distinguish between domain-joined and non-domain devices during lease assignments.

We'll leverage PowerShell to create a real-time monitoring solution that:

  • Triggers on DHCP lease events (Event ID 10)
  • Validates device hostnames against AD
  • Generates alerts for unmanaged devices

# Required DHCP Server Audit Logging
Set-DhcpServerAuditLog -Enable $true -Path C:\Windows\System32\dhcp\

Create a scheduled task that runs this script continuously:


# DHCP Non-Domain Device Alert Script
$Query = @"
<QueryList>
  <Query Id="0" Path="Microsoft-Windows-DHCP Server Events/Operational">
    <Select Path="Microsoft-Windows-DHCP Server Events/Operational">
      *[System[EventID=10]]
    </Select>
  </Query>
</QueryList>
"@

$Action = {
    param($Event)
    $EventXML = [xml]$Event.ToXml()
    $Hostname = $EventXML.Event.EventData.Data | 
                Where-Object {$_.Name -eq "HostName"} | 
                Select-Object -ExpandProperty "#text"
    
    if ($Hostname -and -not (Get-ADComputer -Filter {Name -eq $Hostname} -ErrorAction SilentlyContinue)) {
        $LeaseIP = $EventXML.Event.EventData.Data | 
                   Where-Object {$_.Name -eq "IPAddress"} | 
                   Select-Object -ExpandProperty "#text"
        
        # Send email alert
        Send-MailMessage -To "security@domain.com" -From "dhcp_monitor@domain.com" 
                         -Subject "Non-domain device detected: $Hostname" 
                         -Body "Device $Hostname ($LeaseIP) obtained DHCP lease without AD registration" 
                         -SmtpServer "mail.domain.com"
        
        # Optional: Log to custom event log
        if (-not [System.Diagnostics.EventLog]::SourceExists("DHCP Monitor")) {
            New-EventLog -LogName "Application" -Source "DHCP Monitor"
        }
        Write-EventLog -LogName "Application" -Source "DHCP Monitor" 
                      -EntryType Warning -EventId 1001 
                      -Message "Non-domain device $Hostname obtained IP $LeaseIP"
    }
}

Register-WmiEvent -Query $Query -Action $Action -SourceIdentifier "DHCPLeaseMonitor"

For environments with frequent lease events, consider periodic exports:


# Daily lease export and analysis
$Leases = Get-DhcpServerv4Lease -ComputerName $DHCPServer -ScopeId $ScopeID
$NonDomainDevices = $Leases | ForEach-Object {
    if (-not (Get-ADComputer -Filter "Name -eq '$($_.HostName)'" -ErrorAction SilentlyContinue)) {
        $_
    }
}

$NonDomainDevices | Export-Csv -Path "C:\DHCPReports\NonDomainDevices_$(Get-Date -Format yyyyMMdd).csv"
  • Add throttling logic if processing many events
  • Consider implementing a cache for recently checked devices
  • For large AD environments, use -Properties parameter with Get-ADComputer to minimize LDAP queries

The script can be extended to:

  • Create tickets via ITSM API
  • Trigger network quarantine actions
  • Update CMDB systems
  • Integrate with SIEM solutions