Denying DHCP Admin rights on a Windows 2000/2003 member server

[W C Hull]

We have always had our DHCP services running on Domain Controllers for
Security purposes. Now we have an office that is really too small for a
separate DC so we are going to be running Microsoft DHCP and Microsoft DNS
on the same member server.

By default Local Administrators and "DHCP Administrators" can manage DHCP
however, if possible, we want to set DHCP up so that it can only be managed
by DHCP Administrators and only Domain Admins can add people to the group.
Has anyone ever done this before? If so, what did you end up protecting and
how did you set it up?

Any assistance will be appreciated.

 

[Kurt]

DHCP has it's own ACL. You can remove or add users, built-in groups or
groups of your own creation as required. Since you mentiond that it won't be
a "separate DC", that would imply that it is a member server. You don't
really need anyone to know the local admin account. You can put the computer
into an OU and delegate administrative rights as you see fit. Then your
permissions for DHCP won't be changable by anone on-site.

....kurt

 

[Guest]

Although DHCP has its own default group (i.e. DHCP Administrators), by
default, when DHCP is installed on a member server, the "Local
Administrators" group is also a default administrative group for DHCP
therefore any local ID or any domain ID nested in the local administrators
group suddenly becomes a DHCP admin. What WCHull is trying to do is deny
the local administrators group from being a DHCP admin.

 

[Paul Williams [MVP]]

You cannot effectively deny a member of the administrators group. You can
only hamper a member's ability to undo what you've put in place. You need
to fully trust the members of administrators (domain admins). If you don't,
they shouldn't be in there. I know that's not the answer you want to hear,
but that is the only real way of achieving what you want. Anything else is
simply a hurdle.

 

[Guest]

Paul,

Thanks for the reply.

I sort of thought denying rights to the Administrators group was not going
to be possible and we are just going to have to live with some degree of
exposure when we put DHCP on a member server.

Do you have any suggestions on how we can hamper the local administrators
group to minimize our exposure?

 

[Kurt]

Pretty much what I was trying to say. Since administrators can do anything,
don't allow people who would mess up DHCP to be administrators. Rather,
delegate resposibilities according to their level of competence and/or your
level of trust.

....kurt

 

[Paul Williams [MVP]]

I'm not in front of a server now, so can't look and check what options are
available in DHCP. But I will say don't bother. You're not preventing
anything and are wasting your time. I can appreciate that a block might
stop someone from doing something if they think "oh, I'm not supposed to do
that". Which in most cases works, but doesn't help if that someone wants to
make a change. In some cases it just challenges them...