# When delegating DHCP administration to an non Domain Administrator, you can us

1. # When delegating DHCP administration to an non Domain Administrator, you can use the build in Active Directory group DHCP Administrators to accomplish this task,
2. # but authorization of the DHCP server require additional permissons in Active Directory:
3.  
4. # The delegation of authorization and unauthorization of DHCP servers is two-fold.
5. # 1. Granting permission to create/delete dHCPClass objects.
6. # 2. Granting permission to change all properties of the existing dHCPClass objects.
7.  
8. # When this is done its is really possible to delegate DHCP administration.
9.  
10. #Change the groupname for your environment.
11. $Group = "DHCP Authorization"
12.  
13. # From here you don't have to change the script.
14. $ADRootDSE = Get-ADRootDSE
15. $ConfigNC = $ADRootDSE.configurationNamingContext
16. $NetServicesPath = "AD:\CN=NetServices,CN=Services,$ConfigNC"
17. $SchemaNamingContext = $ADRootDSE.SchemaNamingContext
18. $guidmap = @{}
19. Get-ADObject -SearchBase ($SchemaNamingContext) -LDAPFilter "(lDAPDisplayName=dHCPclass)" -Properties lDAPDisplayName,schemaIDGUID |
20. Where-Object {$_.lDAPDisplayName -eq "dHCPclass"} |
21. ForEach-Object {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
22.  
23. $acl = Get-ACL $NetServicesPath
24. $InheritedObjectType = $guidmap['dHCPclass']
25.  
26. $account = New-Object System.Security.Principal.NTAccount($Group)
27. $sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
28.  
29. # From here the new Access Rules will be created.
30.  
31. # Allow permission to create/delete dHCPClass objects in the Container NetServices.
32. $ActiveDirectoryRights = @("CreateChild", "DeleteChild")
33. $AccessControlType = "Allow"
34. $Inherit = "None"
35. Try{
36. $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $ActiveDirectoryRights, $AccessControlType, $InheritedObjectType, $Inherit) -Verbose -ErrorAction Stop
37. $acl.AddAccessRule($ace)
38. }
39. Catch{Write-Error "There was an error while adding the acces rule for $Group. Error: $($Error[0].Exception.Message)"; return}
40.  
41. # Allow permission to modify all properties of the existing dHCPClass objects.
42. $ActiveDirectoryRights = @("WriteProperty", "ReadProperty", "ListChildren", "Delete")
43. $AccessControlType = "Allow"
44. $Inherit = "Children"
45.  
46. Try{
47. $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $ActiveDirectoryRights, $AccessControlType, $Inherit, $InheritedObjectType) -Verbose -ErrorAction Stop
48. $acl.AddAccessRule($ace)
49. }
50. Catch{Write-Error "There was an error while adding the acces rule for $Group. Error: $($Error[0].Exception.Message)"; return}
51.  
52. # The accumulated access rules are set to NetServices AD container.
53. Try{
54. Set-ACL $NetServicesPath -AclObject $acl -Verbose -ErrorAction Stop
55. }
56. Catch{Write-Error "There was an error while setting the new acces rules for $Group. Error: $($Error[0].Exception.Message)"}