Role-Based DHCP Administration

Applies To: Windows Server 2008

If you are running the DHCP service on Windows 2000, Windows Server 2003, or Windows Server 2008, groups with these role names are created as local groups on the member server where DHCP is installed and available. You should restrict the membership of these groups to the minimum number of users required to administer the server.

DHCP Users

Members of the DHCP Users group have read-only DHCP console access to the server that allows them to view (but not modify) server data, including DHCP server configuration, registry keys, DHCP log files, and the DHCP database. Members of DHCP Users cannot create scopes, modify option values, create reservations or exclusion ranges, or modify the DHCP server configuration.

DHCP Administrators

Members of the DHCP Administrators group have full control over the DHCP configuration only; they do not have full, unlimited administrative access to the server, which would be the case if the local Administrators group were used instead. Members of DHCP Administrators can view and modify any data on the DHCP server. They can create and delete scopes, add reservations, change option values, create superscopes, or perform any other activity required to administer the DHCP server, including export and import of the DHCP server configuration and database. These tasks can be performed using the Netsh commands for DHCP or the DHCP MMC.

If a DHCP server is also configured as a DNS server, members of the DHCP Administrators group can view and modify the DHCP configuration but cannot modify the DNS server configuration on the same computer. Because members of DHCP Administrators have rights on the local computer only, they cannot authorize or unauthorize DHCP servers in AD DS; only members of the Domain Administrators group can perform this task. If you want to authorize or unauthorize a DHCP server in a child domain, you must have enterprise administrator credentials for the parent domain.