Re: User Access Denied With DHCP Admin. Group?

The following is cut and pasted from this article:
-- http://www.msresource.net/content/view/43/47/


Delegating the appropriate permissions
There are two main ways of delegating control in Active Directory - using
the delegation of control wizard or by setting the necessary atomic
permissions on the object or parent object.

In order to authorise a DHCP server in Active Directory, the user in
question must have, as a minimum, the following permissions on the
CN=NetServices,CN=Services,CN=Configuration,DC=domain-name,DC=com container
object:

Create dHCPClass objects


In order to be able to unauthorise, the following permission is also
required:

Delete dHCPClass objects


This poses a minor problem however, as the dHCPClass object isn't visible
through the Delegation of Control Wizard or the Sites and Services advanced
permissions editor. The only way to see this object through the GUI is to
use ADSIEdit.


Delegate the ability to authorise DHCP servers to a non-enterprise
administrator using the delegation of control wizard

a.. Load Active Directory Sites and Services (DSSITE.MSC)
b.. Select View Services from the View drop-down menu (this is a
context-sensitive menu, therefore you must have selected the Active
Directory Sites and Services [root] object)
c.. Expand the System container, and then select the NetServices
container.
d.. Right-click on NetServices and choose Delegate Control... from the
Action menu
e.. In the delegation of control wizard select next, and then select Add
on the Users and groups page
f.. In the resultant window (the object picker) type the name or names
of the groups that you wish to delegate this ability to into the Enter the
object names to select box and then choose OK. To select multiple names at
once, separate objects with a semi-colon.
g.. Select Next, and then Create a custom task to delegate on the Tasks
to Delegate page.
h.. Click This folder, existing objects in this folder and creation of
new objects in this folder underneath Delegate control of in the Active
Directory Object Type Window and then click Next.
i.. Select the Full Control checkbox underneath Permissions on the
Permissions page. This enables the selected object in question to be able
to add, modify or delete new objects of the DHCP class type in the
NetServices folder.
Note. This is quite an open way of doing this as the minimum
permissions required at create and delete dHCPClass objects. However, as
explained earlier, the only [graphical] interface that can see these
permissions is ADSIEdit -therefore the delegation wizard has to give more
open permissions.


Delegate the ability to authorise DHCP servers to a non-enterprise
administrator by manually setting the atomic permissions of the dHCPObject
class.

Instead of using the Delegation of Control wizard, you can manually
configure the appropriate permissions by selecting the individual atomic
permissions necessary to achieve the task. You do this through the advanced
permissions editor.

As mentioned earlier in this section, you must use ADSIEdit to be able to
grant the minimum required permissions. If you wish to use the Sites and
Services snap-in instead, then you will have to be more relaxed in the
permissions you grant -as in the example of using the Delegation of Control
wizard.

a.. Load ADSIEdit by typing ADSIEDIT.MSC at the run command
b.. Expand the following: Configuration;
CN=Configuration,DC=domain-name,DC=com; CN=Services, CN=NetServices
c.. Right-click on CN=NetServices and choose Properties, and then the
Security tab
Click Advanced, and the Add...
d.. Add the desired group to the Object Picker and choose OK
e.. In the resultant Window scroll down and check the Allow tick-box
against the Permissions Create dHCPClass Objects and Delete dHCPClass
Objects
f.. In the Apply onto drop-down list, select This object only
g.. Click OK, then OK and then OK again.

You should use the last part - only allow the creation of dHCPClass objects.

So, pull up the security tab on:

CN=NetServices , CN=Services, CN=Configuration, DC=domain-name, DC=com


And then click advanced and change the permissions from full control to
create dHCPClass objects only. You'll also need delete if you want to
un-authorise.

You will need to do this as EA, or another user with the necessary
permissions.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net


.

Relevant Pages

  • Re: Custom rights
    ... Try giving user who is adding account View Only Exchange Administrator ... >> To add computers to the domain go to AD Users and Computers. ... you will have to manually configure permissions on that user object ... >>> Look into AD delegation, though you may need to do some custom ...
    (microsoft.public.win2000.security)
  • RE: Problems reseting password using MMC
    ... delegation of control wizard. ... Then right-click on the container that you delegated control to and choose ... Now look at the permissions applied to the user/ group that you delegated ...
    (microsoft.public.windows.server.active_directory)
  • Re: can I use GPO for remote folder management?
    ... Default grant is to Adminsitrators, ... How to grant him a delegation on the membership? ... membership if they are still able to alter the permissions of the ...
    (microsoft.public.win2000.group_policy)
  • Re: Delegating Control...
    ... I know how to do the Delegation of Control, but the descriptions of all the ... permissions are not very good. ... Harrison Midkiff ...
    (microsoft.public.win2000.active_directory)
  • Re: Delegation Control Wizard is blank
    ... But I would also like TechSupport to access DNS & DHCP without having to ... Then run the Delegation Control Wizard ... ... group and grant that group the permissions you want on that group. ...
    (microsoft.public.windows.server.active_directory)