DHCP: Security Groups (DHCP Administrators and DHCP Users) required for DHCP administration should be created

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Dynamic Host Configuration Protocol Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Operating System

Windows Server 2008 R2, Windows Server 2012

Product/Feature

Dynamic Host Configuration Protocol (DHCP)

Severity

Warning

Category

Configuration

Issue

Security Groups (DHCP Administrators and DHCP Users) do not exist for this DHCP server.

Impact

It will not be possible to assign DHCP administration and monitoring privileges to other user accounts on the server.

Resolution

Use the add securitygroups command in Netsh to create the DHCP security groups.

Members of the DHCP Administrators group have administrative access to the Dynamic Host Configuration Protocol (DHCP) Server service. This group provides a way to assign limited administrative access to the DHCP server only, while not providing full access to the server. Members of this group can administer DHCP on a server using the DHCP console or the Netsh command, but are not able to perform other administrative actions on the server.

Members of the DHCP Users group have read-only access to the DHCP Server service. This allows members to view information and properties stored at a specified DHCP server. This information is useful to support staff when they need to obtain DHCP status reports.

Both the DHCP Administrators group and DHCP Users group are created automatically when the DHCP server role is installed using Server Manager. If the groups are deleted, you can recreate both groups automatically with the following procedure.

To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

To add the DHCP default local security groups

  1. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Click Yes if prompted by User Account Control, type netsh dhcp add securitygroups and then press ENTER.

Additional references

For updated detailed IT pro information about DHCP, see the Windows Server 2008 R2 documentation on the Microsoft TechNet Web site.