Question : How do DHCP Permissions work internally on Windows 2003?

This may sound like a strange question, but does anybody know how permissions to the DHCP Server work in Windows Server 2003?

I do understand that there are the groups "DHCP Users" and "DHCP Administrators" and how to use them, but where on the system are those groups actually used? I can't seem to find anything on this.

I checked the registry, file system, DCOM, WMI - nothing (doesn't mean it's not there, but I couldn't find it), meaning I didn't find a single ACL that contained those groups. One exception is the SDDL for the DHCP Server service in the Service Control Manager, but that's not what I am looking for. Are those groups maybe used within the JET DHCP database?

Background why I stumbled open this question: I want to set a DENY permission to do DHCP configuration on certain machines.

Answer : How do DHCP Permissions work internally on Windows 2003?

Hi there.

Wonko, you have the wrong approach here.
You don't restrict an administrator to do something. Because you JUST CAN'T. As long as the user is in the local administrator group, he can set his own rights as he wishes. Even if you deny him some rights, he'll just set them back.

Therefore, you always need to go the other way around. Just remove that user from local administrators on that computer and give him permissions gradually to what he needs to do.
Be careful, because if you you make him a domain admin, he'll add himself as local administrator and that's it :)
So, remove him from domain admins too and add him as local admin only on the servers that he needs to manage.

About your question:
DHCP groups apply to local computer only (The computer that has the DHCP role). They apply to both api and netsh command.
Here is the description of the groups from Microsoft for Windows 2003:
http://technet.microsoft.com/en-us/library/cc737716(WS.10).aspx