When you install the DHCP Server service, two domain local groups are created: DHCP Users and DHCP Administrators.

In versions of Windows prior to Windows Server 2008 R2, the Dynamic Host Configuration Protocol (DHCP) service ran in the Local System account and had privileges to create the groups in the Security Accounts Manager (SAM) database. The DHCP Server service in Windows Server 2008 R2 has been moved to the Network Service account, which has reduced privileges and cannot create the security accounts. To facilitate adding security groups and setting access control lists (ACLs), DHCP uses an application programming interface (API) called DhcpAddSecurityGroups. This API is implemented in Dhcpsapi.dll and the Role Management Tool starts this API after the DHCP Server server role installation is done.

DHCP Users group

Members of the DHCP Users group have read-only access to the server by using the DHCP Microsoft Management Console (MMC) snap-in, which allows them to view, but not to modify, server data, including DHCP server configuration, registry keys, DHCP log files, and the DHCP database. DHCP Users cannot create scopes, modify option values, create reservations or exclusion ranges, or modify the DHCP server configuration in any other way.

DHCP Administrators group

Members of the DHCP Administrators group can view and modify any settings on the DHCP server. DHCP Administrators can create and delete scopes, add reservations, change option values, create superscopes, or perform any other task required to administer the DHCP server, including export or import of the DHCP server configuration and database.

Members of the DHCP Administrators group do not have unlimited administrative rights. For example, if a DHCP server is also configured as a Domain Name System (DNS) server, a member of the DHCP Administrators group can view and modify the DHCP configuration but cannot modify DNS server configuration on the same computer.

Because members of the DHCP Administrators group have rights on the local computer only, DHCP Administrators cannot authorize or unauthorize DHCP servers in Active Directory Domain Services (AD DS). Only members of the Domain Admins group can perform this task. If you want to authorize or unauthorize a DHCP server in a child domain, you must have enterprise administrator credentials for the parent domain.


To log on as an enterprise administrator, you must use a member account in the Enterprise Admins group. You can join this group by logging on as local administrator at the first domain controller created in your enterprise.

Additional Resources

For a list of Help topics providing related information, see Recommended tasks for the DHCP server role.

For updated detailed IT pro information about DHCP, see the Windows Server 2008 documentation on the Microsoft TechNet Web site.