Share via

Windows Server: Authorize DHCP Server without Enterprise Admin Privileges

  • Article

In an Active Directory environment on DHCP Server Windows 2000/2003-based to include one, you must have Organization Administrator rights. In larger networks, this is problematic, because multiple domains in a single forest can exist. Here, the individual domain administrators for each installation of a DHCP server would have to ask the Organization Administrator to authorize this new server. To work around this problem you must adjust permissions in the configuration partition.

Unfortunately, Microsoft is very generous here with the permissions and granted the appropriate user groups the right of "Full access" to the container:

  • CN = NetServices, CN = Services, CN = Configuration, DC = contoso, DC = com

This is too much of good that can delegate this right also far granular. First you should create a group of users (E.g. DHCP Authorizers), to which you then delegate this right. Then one joins the configuration partition of the Active Directory with the "adsiedit.msc" tool.

This group requires the following rights

  • "CN = NetServices, CN = Services, CN = Configuration, DC = contoso, DC = com":

Apply for: "This object only"

  • allow "create dHCPClass"
  • "delete dHCPClass" allow

Apply for: "dHCPClass objects"

  • Allow "List contents"
  • Allow "Read all properties"
  • Allow "Write all properties"
  • Allow "Deletion"

After you create this permission entry, users that are not included in the Enterprise Admins group, can authorize a DHCP server.