RE: [ActiveDir] DNS Permissions

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

Title: RE: [ActiveDir] DNS Permissions

This is possible, however, the users must be local admin on the clients they're using the DNS MMC on. Especially if you're running 2003, you should then be fine by granting them read-only permissions on the respective DNS zone object in AD. Win 2000 has some restrictions as DNS servers perform their own “access checks” allowing only “read” and “full control” access on the level of the zone or the DNS server itself.  This access check takes precedence over any ACE placed in an Active Directory ACL - as you're only planning to grant read access to the zone, you should be fine.

 

Depending on how you've set this up DNS in 2003, the zone would either be in the domain naming context (in the CN=MicrosoftDNS,CN=System,DC=YourDomain container) or in the respective DomainDNSzones or ForestDNSzones application partitions - you can use ADSI Edit to change permissions for objects in these partitions.

 

 

/Guido

---

From: Strand, Ted [mailto:[EMAIL PROTECTED]
Sent: Dienstag, 24. Februar 2004 19:32
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS Permissions

Well, it is more political than anything, but they people in question are the network administrators.  Because of some technical and political issues we created a new domain to host AD.  They now want the same functionality (and views) that they had when they were administrators of the domain (minus the change capabilities).  Some of the things that they cited were looking at domain and DNS server settings to verify things like forwarding, zone transfers, etc....

-Ted-

-----Original Message-----
From: Tomasz Onyszko [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 24, 2004 11:17 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] DNS Permissions

On Tue, 24 Feb 2004, Strand, Ted wrote:

> Have any of you found a way to grant users "read only" administrative
> permissions in DNS?  We have some users that need this capability and
> although NSLOOKUP will satisfy many of their requirements, they insist
> on having access to the GUI DNS console.

Hmm, You want to give users access to DNS management console on server? I think if nslookup works for them fine give them only some GUI tool which will act as nslookup. I don't see a point why ordinary user needs access to management console.

--
Tomasz Onyszko [MVP
http://www.w2k.pl
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/