Restricting DHCP Administrators

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags: ,


You want to restrict who can administer your DHCP servers in your domain.


Using a graphical user interface
  1. Open the Active Directory Users and Computers MMC snap-in.

  2. In the console tree, click Active Directory Users and Computers Domain-Name Users.

  3. In the details pane, click DHCP Administrators.

  4. Click Action Properties Members.

  5. Remove all users and groups you do not want to have administering your DHCP server by clicking their names and then clicking Remove.

  6. To add new DHCP administrators, click Add, provide the user or group name, and then click OK.

  7. Click OK.

Using a command-line interface

Add a member to a group with DSMod by passing the -addmbr option:

	> dsmod group "<GroupDN>" -addmbr "<MemberDN>"

To add a group member with AdMod, use the following syntax:

	> admod -b "<GroupDN>" member:+:"<MemberDN>"

Remove a member from a group with DSMod by passing the -rmmbr option:

	> dsmod group "<GroupDN>" -rmmbr "<MemberDN>"

To remove a group member with AdMod, use the following syntax:

	> admod -b "<GroupDN>" member:-:"<MemberDN>"

Replace the complete membership list with DSMod by passing the -chmbr option:

	> dsmod group "<GroupDN>" -chmbr "<Member1DN Member2DN … >"

To replace the membership of a group with AdMod, use the following two commands:

	> admod b "<GroupDN>" :-
	> admod -b "<GroupDN>" member++::"<Member1DN>;<Member2DN>;<Member3DN>"

Using VBScript
	' This code adds a member to the  
Administrators group.
	strGroupDN = "<GroupDN>" ' e.g. "cn= 
DHCP Administrators,cn=Users,<DomainDN>
	strMemberDN = "<MemberDN>" ' e.g. cn=jsmith,cn=users,dc=rallencorp,dc=com
	' ------ END CONFIGURATION --------

	set objGroup = GetObject("LDAP://" & strGroupDN)
	' Add a member
	objGroup.Add("LDAP://" & strMemberDN)

	' This code removes a member from the  
DHCP Administrators group.

	set objGroup = GetObject("LDAP://" & strGroupDN)
	objGroup.Remove("LDAP://" & strMemberDN)


Windows Server 2003 is better than its predecessors about supporting role separation. Most roles can be assigned independently of one another rather than just making a user a Domain Admin or an Enterprise Admin. This is great for security administrators who want to ensure that users have only enough rights to perform their assigned tasks. For example, a user Fred might need to modify an enterprise-wide object. You could just add Fred to the Enterprise Admin groups to solve the problem. However, Fred now has access to virtually any object in the entire forest and could cause irreparable harm to your network, not to mention compromise all security in place. Instead, you can grant Fred access to just that object.

This can be done in separate ways. One method is the “Delegation of Control” wizard. Another way is that Windows has several built-in groups that are created and populated when specific services are installed. One such group is DHCP Administrators, which is created when the first DHCP server is brought up in a domain. You can control administrative access to the DHCP function of these servers through this group membership.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s