Answers? Hello? On Wed, Mar 19, 2008 at 7:18 PM, Kurt Buff <[EMAIL PROTECTED]> wrote: > On Wed, Mar 19, 2008 at 7:07 PM, Michael B. Smith > <[EMAIL PROTECTED]> wrote: > > Don't do it. > > > > Step away from the keyboard. > > > > A DHCP Administrator on a DC is a domain admin. > > Which is why I'm contemplating transferring the DHCP service to the > Exchange box. > > > > An Exchange Administrator on a DC is a domain admin. > > It's two separate boxes - an Exchange box and a DC. He desires the > ability (not *too* unreasonably) to create/delete/modify Exchange > accounts/DL/Contacts. How to grant that without giving away the game > in this situation? > > > > You can delegate sub-domains in DNS, but that is easily over-ridden. > > > > A domain is -a- administrative boundary. So is a forest. Except for > > name-resolution, and some minor security separation, you should consider > > them the same. > > > > If creation of a separate forest is not an option, your best bet is to > make > > them a child domain. Virtualize if necessary (standard warnings about > > virtualizing a DC apply), but don't mix functions and privileges... > > So, basically if I transfer the DHCP service to the Exchange box, I > can make him a member of the DHCP Administrators group on that > machine, but DNS and WINS delegation are right out, unless I create a > child domain in the forest? > > That's approximately what I thought, if that's the case, and I'm not > much interested in creating child domains, as I'm not well-educated in > all this, and have no wish to learn this kind of thing in a live > environment. My default stance is to give him the DHCP administration, > and let him know that the rest is out of reach, at least for a good > while. > > Kurt >
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
