Sorry, it's been a busy couple of weeks. If you give him (or preferentially, a group that you create and make him a member of) FC on the OU where you want him to be able to do these things, he can make the modifications that he wants, and only affect that OU. There is a white paper, named something like "Exchange 2003 Active Directory Permissioning Model" that can tell you the PRECISE rights that must be granted, if that is of concern.
Putting the DHCP server service on the Exchange server should be fine, as long as he is the admin of both; and that server isn't a DC. He'll need to be a local admin on that box, a member of "Exchange Administrators", and a member of "DHCP Administrators". Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Friday, March 21, 2008 1:50 PM To: NT System Admin Issues Subject: Re: Granting rights to services on a DC, etc. Answers? Hello? On Wed, Mar 19, 2008 at 7:18 PM, Kurt Buff <[EMAIL PROTECTED]> wrote: > On Wed, Mar 19, 2008 at 7:07 PM, Michael B. Smith > <[EMAIL PROTECTED]> wrote: > > Don't do it. > > > > Step away from the keyboard. > > > > A DHCP Administrator on a DC is a domain admin. > > Which is why I'm contemplating transferring the DHCP service to the > Exchange box. > > > > An Exchange Administrator on a DC is a domain admin. > > It's two separate boxes - an Exchange box and a DC. He desires the > ability (not *too* unreasonably) to create/delete/modify Exchange > accounts/DL/Contacts. How to grant that without giving away the game > in this situation? > > > > You can delegate sub-domains in DNS, but that is easily over-ridden. > > > > A domain is -a- administrative boundary. So is a forest. Except for > > name-resolution, and some minor security separation, you should consider > > them the same. > > > > If creation of a separate forest is not an option, your best bet is to make > > them a child domain. Virtualize if necessary (standard warnings about > > virtualizing a DC apply), but don't mix functions and privileges... > > So, basically if I transfer the DHCP service to the Exchange box, I > can make him a member of the DHCP Administrators group on that > machine, but DNS and WINS delegation are right out, unless I create a > child domain in the forest? > > That's approximately what I thought, if that's the case, and I'm not > much interested in creating child domains, as I'm not well-educated in > all this, and have no wish to learn this kind of thing in a live > environment. My default stance is to give him the DHCP administration, > and let him know that the rest is out of reach, at least for a good > while. > > Kurt > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
