Title: RE: [ActiveDir] DNS Permissions
Guido's answer aside, you kind of need to knock this one
down or else you will always be back on your heels regularly. This is the kind
of crap that really bogs down any real lockdown/security progress in a company.
In order to get more and more secure people lose access to stuff they always had
access to before. Having access to it before doesn't mean they should always
have it. If their jobs are dependent on this functionality, find a way, if not,
tell them to focus on their real job.
Not only do you waste time trying to make these people
happy, they tend to just poke around looking for things to complain about or
point at, or at least this has been my experience in these situations. Generally
they don't understand what they are talking about so you burn a lot of time
explaining what they don't know. I get this also with people looking at domain
controller logs. They feel they know what errors should and shouldn't be there
so their perusal of one DC makes them an expert in it and they demand
explanations for each and every flagged item. My response is either, stop
looking at my DCs, I run them, I know what to look for, or I lock them out from
seeing things.
Now if
there are good valid support reasons for them to look at that stuff that frees
you up, by all means go for it... An example of this when I opened up the
ability to look at WINS records to normal users (i.e. OU admins) via netsh
and winsmgmt.msc.
We had
A LOT of fighting about local site resource domain admins losing rights. You
would have thought none of them would be able to do their job without being full
god admins. 3 years into it we don't hear that complaining much anymore and
haven't encountered one valid reason where they did need the high rights except
to do things they weren't supposed to be doing in the first
place.
-------------
Well, it is more political than anything, but they people in
question are the network administrators. Because of some technical and
political issues we created a new domain to host AD. They now want the
same functionality (and views) that they had when they were administrators of
the domain (minus the change capabilities). Some of the things that they
cited were looking at domain and DNS server settings to verify things like
forwarding, zone transfers, etc....
-Ted-
-----Original Message-----
From: Tomasz
Onyszko [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 24, 2004 11:17 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] DNS Permissions
On Tue, 24 Feb 2004, Strand, Ted wrote:
> Have any of you found a way to grant users "read only"
administrative
> permissions in DNS? We have
some users that need this capability and
> although
NSLOOKUP will satisfy many of their requirements, they insist
> on having access to the GUI DNS console.
Hmm, You want to give users access to DNS management console on
server? I think if nslookup works for them fine give them only some GUI tool
which will act as nslookup. I don't see a point why ordinary user needs access
to management console.
--
Tomasz Onyszko [MVP
http://www.w2k.pl
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
