DHCP Administrators RRS feed

  • Question

  • We have two groups called "DHCP Administrators":

    1. Domain Group

    2. local Group

    To my understanding, correct me if I'm wrong:

    1. The domain group can automatically gain permissions to all DHCP Servers in the domain.

    2. The local group has permissions on the local server itself.

    3. There is no option to delegate DHCP permissions like with other AD Objects

    I have found that even if a user is not a member of the Domain and local DHCP Administrators group, as long as the user is a local admin on the server, he can do whatever he wants with DHCP. Am I correct? If so, what is the purpose of the local DHCP Administrators group?

    Sunday, July 14, 2019 2:18 PM

All replies

  • It happen few times that the DHCP groups are not created automatically and you may have to create it manually using a netsh command

    Netsh DHCP add securitygroups

    This may cause the issue you have.

    Theorically, the DHCP Administrators group will give the rights to be the "Admin" of the DHCP service.  This gives you all rights on the DHCP Server.  Of course, if you are member of the Administrators group, you already have the right.  But the group is another option to allow Admin rights on the DHCP server without giving administrators rights.

    Keep in mind that several customers still configure their DHCP servers on a Domain Controller.  In that case, the DHCP Administrators group is a better idea than giving the Domain Admins rights.

    Another thing, in a Active Directory domain, only a user that is member of "Enterprise Admins" group can authorize a DHCP Server.  Being part of the DHCP Administrators will not gives you this right.  The Reason is because the DHCP server is Added to the Configuration Partition "CN=NetServices,CN=Services,CN=Configuration,DC=Contoso,DC=com"


    This posting is provided AS IS without warranty of any kind

    Monday, July 15, 2019 12:35 AM