Assuming you are using NT's DHCP server, many people seem to forget that
you can define static leases, thereby assigning an IP address to a MAC
address, permanently. This has the advantage of giving you a known IP
address for a specific person (which you can then build ACLs on), while
still giving you the dynamic capabilities of DHCP for all other
information (i.e. scope parameters).
The vast majority of users in a DHCP environment do not actually need to
have dynamic IP addresses, but instead, you do it more to avoid having
to go to machines to configure, or reconfigure, options. Using static
leases still gives you these benefits, as there is nothing you need to
do at the client to configure a static lease.
For those machines that *seem to* need a dynamic address (i.e. laptops
that move from site to site), you can still assign static leases for
them in multiple scopes (i.e. they can have a static lease in each
site's DHCP server).
The machines that move will make your ACLs a bit more complicated as you
will have to have multiple IP addresses for each of these people on each
ACL you create, and for those you might have to maintain a list of all
of their IP addresses in the various subnets.
If you don't have sufficient IP addresses in each subnet to do this,
then considering putting a NAT in place to allow you to use RFC 1918 to
renumber your network. Since your machines are numbered using DHCP,
implementing RFC 1918 is much easier than without DHCP (I'm not
suggesting its easy to make all the modifications to all of your
routers, but its easier than if you didn't have DHCP).
There is no reason, in this environment, to have dynamically assigned IP
addresses, but if you want to have some anyway, just group them together
in each subnet and apply rules to them as if they are one machine (using
the range of addresses rather than a single address). I would suggest
you treat them like guest machines, restricting their access drastically
to the most basic services you might give your least trusted users. This
way you can still go out and do a new installation, receive a dynamic IP
address, and do basic installation checking. Once that's done, you
modify your DHCP database to include the new MAC address as a static
lease, release the dynamic lease, and have the client either reboot or
do a renew on their DHCP lease. You can still set expirations on static
leases, so you can have scope information automatically updated on
clients at regular intervals even though they're using static leases.
As Chris pointed out, Catapult from Microsoft is based on the user ID,
which has both pros and cons associated with it...pro means you don't
have to worry about IP addresses in ACLs on the Catapult server, ...cons
means someone can grant permission to someone else by giving them their
user ID and password (if they are using a piece of software that doesn't
understand NT Challenge/Response).
When LDAP support comes out in MSX 4.1, there may be a way to translate
user ID to IP address for a variety of authentication services.
...eek, quick, someone give me some broken software, I'm suffering beta