On Wed, Mar 19, 2008 at 7:07 PM, Michael B. Smith <[EMAIL PROTECTED]> wrote: > Don't do it. > > Step away from the keyboard. > > A DHCP Administrator on a DC is a domain admin.
Which is why I'm contemplating transferring the DHCP service to the Exchange box. > An Exchange Administrator on a DC is a domain admin. It's two separate boxes - an Exchange box and a DC. He desires the ability (not *too* unreasonably) to create/delete/modify Exchange accounts/DL/Contacts. How to grant that without giving away the game in this situation? > You can delegate sub-domains in DNS, but that is easily over-ridden. > > A domain is -a- administrative boundary. So is a forest. Except for > name-resolution, and some minor security separation, you should consider > them the same. > > If creation of a separate forest is not an option, your best bet is to make > them a child domain. Virtualize if necessary (standard warnings about > virtualizing a DC apply), but don't mix functions and privileges... So, basically if I transfer the DHCP service to the Exchange box, I can make him a member of the DHCP Administrators group on that machine, but DNS and WINS delegation are right out, unless I create a child domain in the forest? That's approximately what I thought, if that's the case, and I'm not much interested in creating child domains, as I'm not well-educated in all this, and have no wish to learn this kind of thing in a live environment. My default stance is to give him the DHCP administration, and let him know that the rest is out of reach, at least for a good while. Kurt ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
