How to Detect Who Deleted a DHCP Reservation

Native Auditing vs. Netwrix Auditor for Windows Server

Native Auditing Netwrix Auditor for Windows Server
  1. Open DHCP Microsoft Management Console (MMC) snap-in → In the console tree click the DHCP server you want to configure → choose IPv4 or IPv6 → call menu by right clicking DHCP instance and go to Properties → On the General tab, select Enable DHCP audit logging → OK.
  2. Run evenvwr.msc, navigate to Application and Services Logs → Microsoft → Windows → DHCP-Server → Microsoft-Windows-DHCP Server Events/Operational → Look for Event ID 107 in order to find out who deleted a DHCP Reservation.


  1. To create an instant alert that is triggered upon any DHCP Reservation Deletion, navigate to Managed Objects → Windows server → Event Log → Audit Archiving Filters → Check "All Windows Logs" → Right click "Real-time alerts" folder → New Real-time alert → Set alert’s name and click "Next" → Add Event Filter → Set filter’s name → Set "Microsoft-Windows-DHCP-Server/Operational" Event log → Go to Event Fields tab → Set Event ID = 107 → click "OK", "Next" and "Finish".
  2. Now you will be able to receive an email upon each occurrence of DHCP Reservation Deletion on your server with information who deleted it.

Monitor Deletions of DHCP Reservations to Avoid System Unavailability

The deletion of a DHCP reservation can cause IT services to be unavailable. For instance, users can experience problems accessing e-mail, file servers, SharePoint, etc. And because users won’t be able to access files on corporate shared resources or use their mailboxes, the IT helpdesk will see a significant increase in ticket volume. To minimize the risk of system unavailability and the resulting failed access attempts, IT administrators need to keep an eye on DHCP reservations and spot any deletions as soon as possible.

Netwrix Auditor for Windows Server provides visibility into Windows Server activity and delivers actionable information about all Windows Server access events and changes, including the deletion of DHCP reservations. Then, by using the Interactive Search feature, IT staff can generate an easy-to-read report showing all the details about a deleted DHCP reservation, including who deleted it, when and where the deletion occurred, and other details. The solution also notifies IT administrators about deleted reserved IP addresses by sending them email alerts in order to further help prevent system unavailability.

Got Feedback? Share!