DHCP: How to Detect Who Deleted a Reservation

Why It Is Important

The deletion of a DHCP reservation can cause IT services to be unavailable. For instance, users can experience problems accessing e-mail, file servers, SharePoint, etc. And because users won’t be able to access files on corporate shared resources or use their mailboxes, the IT helpdesk will see a significant increase in ticket volume. To minimize the risk of system unavailability and the resulting failed access attempts, IT administrators need to keep an eye on DHCP reservations and spot any deletions as soon as possible.

Native Auditing

1. DHCP MMC

Open DHCP Microsoft Management Console (MMC) snap-in → In the console tree click the DHCP server you want to configure → choose IPv4 or IPv6 → call menu by right clicking DHCP instance and go to Properties → On the General tab, select Enable DHCP audit logging → OK.

2. Event viewer

Run evenvwr.msc, navigate to Application and Services Logs → Microsoft → Windows → DHCP-Server → Microsoft-Windows-DHCP Server Events/Operational → Look for Event ID 107 in order to find out who deleted a DHCP Reservation.

https://img.netwrix.com/landings/howtofriday/20/How-to-Detect-Who-Deleted-a-DHCP-Reservation.png

Video: Real-Life Use Case

View

 

Credits

Originally Posted - https://www.netwrix.com/how_to_detect_who_deleted_dhcp_reservation.html