Managing DHCP Server Access

Applies To: Windows Server 2008

DHCP groups

When you install the DHCP Server service, two domain local groups are created: DHCP Users and DHCP Administrators.

DHCP Users group

Members of the DHCP Users group have read-only DHCP console access to the server, which allows them to view, but not to modify, server data, including DHCP server configuration, registry keys, DHCP log files, and the DHCP database. DHCP Users cannot create scopes, modify option values, create reservations or exclusion ranges, or modify the DHCP server configuration in any other way.

DHCP Administrators group

Members of the DHCP Administrators group can view and modify any data at the DHCP server. DHCP Administrators can create and delete scopes, add reservations, change option values, create superscopes, or perform any other activity required to administer the DHCP server, including export or import of the DHCP server configuration and database. DHCP Administrators perform these tasks using the DHCP console or the Netsh commands for DHCP. For more information, see Managing DHCP from the Command Prompt.

Members of the DHCP Administrators group do not have unlimited administrative rights. For example, if a DHCP server is also configured as a DNS server, a member of the DHCP Administrators group can view and modify the DHCP configuration but cannot modify DNS server configuration on the same computer. For more information about giving groups and users administrative rights, see Using Groups to Administer DHCP Servers in a Domain.

Because members of the DHCP Administrators group have rights on the local computer only, DHCP Administrators cannot authorize or unauthorize DHCP servers in Active Directory Domain Services (AD DS). Only members of the Domain Admins group can perform this task. If you want to authorize or unauthorize a DHCP server in a child domain, you must have enterprise administrator credentials for the parent domain. For more information, see Controlling DHCP Active Directory Authorization.


To log on as an enterprise administrator, you must use a member account in the Enterprise Admins group. You can do this by logging on as local administrator at the first domain controller created in your enterprise.