As I am getting ready to migrate a number of zones from a QIP DNS server to a Microsoft DNS server, I have a concern about giving support folks access to the DNS MMC. Some folks just need to be able to use the MMC to troubleshoot, so I thought I would give them "Read Only" access to DNS. I see dhcp and wins users (view only) but I do not see the same thing for DNS.
I created a test user in the domain, I tried to start the DNS mmc and it told me that access was denied. I then went to the DNS server object and gave the user list and read access to the objects. To my surprise the test userid was able to add or delete DNS records in the AD DNS zone. It probably should not be a surprise since the zone is AD integrated and set to secure updates. I take it this means that as long as a user is a member of the domain, they CAN create and delete resource records in DNS. I take it all I did was expose the UI by giving the user read access to the objects. How do you mitigate this? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
