Authorizing DHCP Server by a non-enterprise administrator


Authorizing DHCP Server by a non-enterprise administrator

By default, only a administrator which is member of “Enterprise Admins” group can authorize the DHCP which is installed in domain environment. If the other accounts  would like to authorize the DHCP server which is a member server in child domain, you may get “Access is denied“.

 

To solve this problem, I try to grant the permission for child domain administrator.

 

1. At the forest root domain controller, log in as Domain Administrator.

2. Launch “Active Directory Sites and Services“.

3. On the menu, click “View > Show Services Mode.


 

4. Expand “Services > NetServices“.

5. Right-click “NetServices“, select “Delegate Control“.


 

6. On “Delegation of Control Wizard” screen, click “Next“.

7. On “Users or Groups” screen, add an user or group which you want to grant permission for authorizing DHCP servers to.


 

8. Click “Next“.

9. On “Tasks to Delegate” screen, select “Create a custom task to delegate“.

 


10. Click “Next“.

11. On “Active Directory Object Type” screen, select “This folder, existing objects in this folder, and creation of new objects in this folder“.

 


12. Click “Next“.

13. On “Permissions” screen, check “Full Control“.


14. Click “Next” .

15. Click “Finish“.

Now, the non-enterprise administrator user account can authorize the DHCP Server which is installed in Child Domain.

Ref: http://terrytlslau.tls1.cc/2011/11/authroizing-dhcp-server-by-child-domain.html

https://technet.microsoft.com/en-us/library/cc786474(WS.10).aspx

Advertisements

How to delegate control move computer objects from one OU to another


Move Computer accounts between OUs

In ADUC, right click the first OU and select Delegate Control.

  1. Add the user or  group you want.
  2.  Select the “Create a custom task to delegate” option and click Next.
  3. Select “Only the following objects in the folder”
  4. Check the box before “Computer objects” in the list.
  5. Check the box before “Create selected objects in this folder” and “Delete selected objects in this folder”. Click Next.
  6. Check the box for “Write”.
  7.  Click Next and Finish.
  8. Perform the same steps on another OU.

Difference between Audit Logon Events and Audit Account Logon Events


OVERVIEW: Audit Logon Events

The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account. On DCs, this policy records attempts to access the DC only. The policy does not, for instance, track a user who uses a domain account to log on at a workstation. (In that case, the user isn’t logging on to the DC; the DC is simply authenticating the user.) To track all domain account authentication, you should use Audit account logon events.

Bottom Line

  • Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers.
  • Windows Server 2008 and Vista: I don’t recommend managing audit policy at this level because too much noise is generated. Use subcategories instead


OVERVIEW: Audit Account Logon Events

Microsoft should have named the Audit account logon events policy Audit authentication events. On DCs, the policy tracks all attempts to log on with a domain user account, regardless of where the attempt originates. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM.

Bottom Line

  • Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers including workstations.
  • Windows Server 2008 and Vista: I don’t recommend managing audit policy at this level because too much noise is generated. Use subcategories instead

restore Deleted Objects from Active Directory 2008


get-adobject -Filter{Deleted -eq $true -and ObjectClass -eq “user”} -IncludeDeletedObjects | dsquery user -name “*any name”

AD 2008 Delegation tricks


AD 2008

Delegation

Go to active directory users and computers
Right click the OU or the Domain the delegate
image001
Add the user or group to be delegated
The create custom delegate
Choose the scope of the task
The choose General and property specific make sure to choose the send as and receive as check box this is new in Window server 2008 then choose the property you want
Finish