Ravindra Kulkarni
Problem
You want to restrict who can administer your DHCP servers in your domain.
Solution
Using a graphical user interface
-
Open the Active Directory Users and Computers MMC snap-in.
-
In the console tree, click Active Directory Users and Computers
Domain-Name
Users.
-
In the details pane, click DHCP Administrators.
-
Click Action
Properties
Members.
-
Remove all users and groups you do not want to have administering your DHCP server by clicking their names and then clicking Remove.
-
Click OK.
Using a command-line interface
Add a member to a group with DSMod by passing the -addmbr option:
> dsmod group "<GroupDN>" -addmbr "<MemberDN>"
To add a group member with AdMod, use the following syntax:
> admod -b "<GroupDN>" member:+:"<MemberDN>"
Remove a member from a group with DSMod by passing the -rmmbr option:
> dsmod group "<GroupDN>" -rmmbr "<MemberDN>"
To remove a group member with AdMod, use the following syntax:
> admod -b "<GroupDN>" member:-:"<MemberDN>"
Replace the complete membership list with DSMod by passing the -chmbr option:
> dsmod group "<GroupDN>" -chmbr "<Member1DN Member2DN … >"
To replace the membership of a group with AdMod, use the following two commands:
> admod b "<GroupDN>" :- > admod -b "<GroupDN>" member++::"<Member1DN>;<Member2DN>;<Member3DN>"
Using VBScript
' This code adds a member to the DHCP Administrators group. ' ------ SCRIPT CONFIGURATION ------ strGroupDN = "<GroupDN>" ' e.g. "cn= DHCP Administrators,cn=Users,<DomainDN> strMemberDN = "<MemberDN>" ' e.g. cn=jsmith,cn=users,dc=rallencorp,dc=com ' ------ END CONFIGURATION -------- set objGroup = GetObject("LDAP://" & strGroupDN) ' Add a member objGroup.Add("LDAP://" & strMemberDN) ' This code removes a member from the DHCP Administrators group. set objGroup = GetObject("LDAP://" & strGroupDN) objGroup.Remove("LDAP://" & strMemberDN)
Discussion
Windows Server 2003 is better than its predecessors about supporting role separation. Most roles can be assigned independently of one another rather than just making a user a Domain Admin or an Enterprise Admin. This is great for security administrators who want to ensure that users have only enough rights to perform their assigned tasks. For example, a user Fred might need to modify an enterprise-wide object. You could just add Fred to the Enterprise Admin groups to solve the problem. However, Fred now has access to virtually any object in the entire forest and could cause irreparable harm to your network, not to mention compromise all security in place. Instead, you can grant Fred access to just that object.
This can be done in separate ways. One method is the “Delegation of Control” wizard. Another way is that Windows has several built-in groups that are created and populated when specific services are installed. One such group is DHCP Administrators, which is created when the first DHCP server is brought up in a domain. You can control administrative access to the DHCP function of these servers through this group membership.
IgNiTeD SoUL 