Authorize DHCP server without Enterprise Admin privileges
In an Active Directory environment on DHCP Server Windows 2000/2003-based to include one, you must have Organization Administrator rights. In larger networks, this is problematic, because multiple domains in a single forest can exist. Here, the individual domain administrators for each installation of a DHCP server would have to ask the Organization Administrator to authorize this new server. To work around this problem; you must be adjusted permissions in the configuration partition.
Unfortunately, Microsoft is here very generously with the permissions and granted the appropriate user groups the right of "Full access" to the container:
CN = NetServices, CN = Services, CN = Configuration, DC = contoso, DC = com
Who too much of good thats can delegate this right also far granularer. First you should create a group of users (E.g. DHCP Authorizers), to which you then delegated this right. Then one joins the configuration partition of the Active Directory with the "adsiedit.msc" tool. This group requires the following rights "CN = NetServices, CN = Services, CN = Configuration, DC = contoso, DC = com":
Apply for: "This object only" allow "create dHCPClass" "delete dHCPClass" allow
Apply for: "dHCPClass objects" Allow "List contents" Allow "Read all properties" Allow "Write all properties" Allow "Deletion"
After you create this permission entries, users are not included in the Enterprise Admins group can authorize a DHCP server.