Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Sunday, July 14, 2019 2:18 PM
We have two groups called "DHCP Administrators":
1. Domain Group
2. local Group
To my understanding, correct me if I'm wrong:
1. The domain group can automatically gain permissions to all DHCP Servers in the domain.
2. The local group has permissions on the local server itself.
3. There is no option to delegate DHCP permissions like with other AD Objects
I have found that even if a user is not a member of the Domain and local DHCP Administrators group, as long as the user is a local admin on the server, he can do whatever he wants with DHCP. Am I correct? If so, what is the purpose of the local DHCP Administrators group?
All replies (1)
Monday, July 15, 2019 12:35 AM
It happen few times that the DHCP groups are not created automatically and you may have to create it manually using a netsh command
Netsh DHCP add securitygroups
This may cause the issue you have.
Theorically, the DHCP Administrators group will give the rights to be the "Admin" of the DHCP service. This gives you all rights on the DHCP Server. Of course, if you are member of the Administrators group, you already have the right. But the group is another option to allow Admin rights on the DHCP server without giving administrators rights.
Keep in mind that several customers still configure their DHCP servers on a Domain Controller. In that case, the DHCP Administrators group is a better idea than giving the Domain Admins rights.
Another thing, in a Active Directory domain, only a user that is member of "Enterprise Admins" group can authorize a DHCP Server. Being part of the DHCP Administrators will not gives you this right. The Reason is because the DHCP server is Added to the Configuration Partition "CN=NetServices,CN=Services,CN=Configuration,DC=Contoso,DC=com"
hth
This posting is provided AS IS without warranty of any kind