Authorizing DHCP Server by a non-enterprise administrator

By default, only a administrator which is member of “Enterprise Admins” group can authorize the DHCP which is installed in domain environment. If the other accounts  would like to authorize the DHCP server which is a member server in child domain, you may get “Access is denied“.

To solve this problem, I try to grant the permission for child domain administrator.

1. At the forest root domain controller, log in as Domain Administrator.

2. Launch “Active Directory Sites and Services“.

3. On the menu, click “View > Show Services Mode.

4. Expand “Services > NetServices“.

5. Right-click “NetServices“, select “Delegate Control“.

6. On “Delegation of Control Wizard” screen, click “Next“.

7. On “Users or Groups” screen, add an user or group which you want to grant permission for authorizing DHCP servers to.

8. Click “Next“.

9. On “Tasks to Delegate” screen, select “Create a custom task to delegate“.

10. Click “Next“.

11. On “Active Directory Object Type” screen, select “This folder, existing objects in this folder, and creation of new objects in this folder“.

12. Click “Next“.

13. On “Permissions” screen, check “Full Control“.

14. Click “Next” .

15. Click “Finish“.

Now, the non-enterprise administrator user account can authorize the DHCP Server which is installed in Child Domain.

Ref: http://terrytlslau.tls1.cc/2011/11/authroizing-dhcp-server-by-child-domain.html

https://technet.microsoft.com/en-us/library/cc786474(WS.10).aspx

OVERVIEW: Audit Logon Events

The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account. On DCs, this policy records attempts to access the DC only. The policy does not, for instance, track a user who uses a domain account to log on at a workstation. (In that case, the user isn’t logging on to the DC; the DC is simply authenticating the user.) To track all domain account authentication, you should use Audit account logon events.

Bottom Line

• Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers.
• Windows Server 2008 and Vista: I don’t recommend managing audit policy at this level because too much noise is generated. Use subcategories instead

OVERVIEW: Audit Account Logon Events

Microsoft should have named the Audit account logon events policy Audit authentication events. On DCs, the policy tracks all attempts to log on with a domain user account, regardless of where the attempt originates. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM.

Bottom Line

• Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers including workstations.
• Windows Server 2008 and Vista: I don’t recommend managing audit policy at this level because too much noise is generated. Use subcategories instead