You are an Enterprise administrator for contoso.com. The company consists of a head office and five branch offices. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista.
Each branch office contains a domain controller on which the DHCP Server role is also installed. Besides this, each branch office also contains a file server and posses its own branch office administrator.
You need to delegate the administration of DHCP in such a way that the branch office administrators are allowed to manage DHCP scopes for their own office. You also need to ensure that the branch office administrators should not be allowed to manage the DHCP scopes in other offices.
Which of the following options would you choose to accomplish the given task in minimum amount of administrative effort?
A.
Migrate the DHCP Server server role to the file server in each branch office.
B.
On each file server, add the branch office administrator to the DHCP Administrators local group.
C.
Add the branch office administrators to the Network Configuration Operators domain local group in the AD domain.
D.
Add the branch office administrators to the Server Operators domain local group in the AD domain.
E.
Add the branch office administrators to the DHCP Administrators domain local group in the AD domain.
Explanation:
To delegate the administration of DHCP so that the branch office administrators are allowed to manage DHCP scopes for their own office you need to migrate the DHCP Server server role to the file server in each branch office.
To ensure that branch office administrators are not allowed to manage the DHCP scopes in other offices you need to add the branch office administrator to the DHCP Administrators local group.
While members of the Domain Admins group obviously have full power to configure DHCP on the server, you can also delegate limited power to users whose job is to manage DHCP servers on your network. To do this, open Active Directory Users and Computers and add the name of the user to the DHCP Administrators domain local group.
This gives the user the ability to manage DHCP servers on your network without giving him any unnecessary authority to perform other administrative tasks, which is an example of the well-known security best practice of least privilege.