DHCP groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

DHCP groups

When you install the DHCP Server service, two domain local groups are created: DHCP Users and DHCP Administrators.

DHCP Users

Members of the DHCP Users group have read-only DHCP console access to the server, which allows DHCP Users to view, but not to modify, server data, including DHCP server configuration, registry keys, DHCP log files, and the DHCP database. DHCP Users cannot create scopes, modify option values, create reservations or exclusion ranges, or modify the DHCP server configuration in any other way.

DHCP Administrators

Members of the DHCP Administrators group can view and modify any data at the DHCP server. DHCP Administrators can create and delete scopes, add reservations, change option values, create superscopes, or perform any other activity needed to administer the DHCP server, including export or import of the DHCP server configuration and database. DHCP Administrators perform these tasks using the Netsh commands for DHCP or the DHCP console. For more information, see DHCP tools.

Members of the DHCP Administrators group do not have unlimited administrative rights. For example, if a DHCP server is also configured as a DNS server, a member of the DHCP Administrators group can view and modify the DHCP configuration but cannot modify DNS server configuration on the same computer.

Because members of the DHCP Administrators group have rights on the local computer only, DHCP Administrators cannot authorize or unauthorize DHCP servers in Active Directory. Only members of the Domain Admins group can perform this task. If you want to authorize or unauthorize a DHCP server in a child domain, you must have enterprise administrator credentials for the parent domain. For more information about authorizing DHCP servers in Active Directory, see Authorizing DHCP servers and Authorize a DHCP server in Active Directory.


  • To be logged on as an enterprise administrator, you must log on using a member account in the Enterprise Admins group. By default, this is done by logging on as local administrator at the first domain controller created in your enterprise.

Using groups to administer DHCP servers in a domain

When you add a user or group to a DHCP Users or DHCP Administrators group on a DHCP server, the rights of the DHCP group member do not apply to all of the DHCP servers in the domain. The rights apply only to the DHCP service on the local computer. In order to assign rights to a user or group that apply to all of the DHCP servers in the domain, you can add the user or group to the DHCP Administrators group on each DHCP server in the domain. This approach is practical only on a small network with one or two DHCP servers.

An alternative approach is to add the user or group to the global group called Domain Admins. Members of the Domain Admins group can administer all of the DHCP servers in the domain, however the administrative rights of Domain Admins are not limited to the DHCP service on each DHCP server. Domain Admins have complete administrative rights on all of the computers in the domain. For this reason, it is recommended that you do not add users or groups to the Domain Admins group solely because you want to assign administrative rights for the DHCP service on all of the DHCP servers in the domain.

If you have more than two DHCP servers on your network, you can use the following steps to most effectively add members to a DHCP group:

  1. In the Active Directory Users and Computers console, create a group with universal or global scope. For more information, see Create a new group.

  2. Add users or groups to the new group you created. For more information, see Add a member to a group.

  3. At each DHCP server in the domain, add the new group (that you created in the first step) to either the DHCP Users group or the DHCP Administrators group, depending on the rights and permissions that you want group members to have.

For more information about how to add members to groups and other related tasks, see Manage Server Access.

For more information about groups, see Group scope and Default groups.

For more information about delegating administrative credentials, see Delegate ability to authorize DHCP servers to a non-enterprise administrator.