I did some testing and here is what I found. 1) If you actually give the user or group READ access in ADUC (User and Computers, not DNS)
under domainname/System/MicrosoftDNS. This give you access to the DNS MMC on the server 2) Then at the ZONE(s) level, you have to give the user or group READ access and DENY = (WRITE, Create All Child Objects and Delete All Child Objects). It gets some rights from Authenticated users as William mentioned. I did not want these folks to be able to create 10,000 records on our DNS servers. Any other way, the user or group ends up having the ability to create dns resource records and delete them. This way, I can truly give some folks READ access to the DNS zones and it does not interfere with dynamic updates which works under system. We are 2003 DCs (two 2000 DCs left) in native mode. We do not have SP1 on the DCs just yet. Your mileage may vary! Thank you everyone. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Friday, December 09, 2005 3:38 AM To: [email protected] Subject: RE: [ActiveDir] DNS Question On the 2003 DC, you could use the Effective Permissions tab (Security -> Advanced -> Effective Permissions) to verify the permissions assigned to the test user. I was able to get read-only for the user by setting Read at the server level and again at the zone level. I had to remove 'Everyone' and 'Authenticated Users' where applicable. It sounds as if the user may have more rights than expected. William -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 08 December 2005 16:34 To: [email protected] Subject: RE: [ActiveDir] DNS Question 2K in native mode, all but two of the DCs are running 2003 (NOT SP1 yet) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 9:28 AM To: [email protected] Subject: RE: [ActiveDir] DNS Question I think there are differences between functional levels. What OS / mode are you running at? I can say for certain, on my test rig (2k in Native mode) I have set read-only access to specific zones. I have not had much luck yet in assigning further permissions such as adding records. William -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 08 December 2005 16:05 To: [email protected] Subject: RE: [ActiveDir] DNS Question This is a tough one. I followed your link William, http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx Gave a test user Read access to a specific AD integrated zone. To be able to connect the DNS MMC, I still had to give the user Read access to the server object or the UI would get access denied. So, if you give the user read access to the server object, even if you specify "this object only" they can create and delete records with the DNS MMC even if you specified read only to the AD intergraded zone. Thanks -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, William Sent: Thursday, December 08, 2005 7:55 AM To: [email protected] Subject: RE: [ActiveDir] DNS Question Hi Johnny, You can delegate security of the DNS Zone to allow read-only access. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/73b2314f-6acf-422a-85bc-c1d04d1d8e00.mspx The user can run the DNS management snap-in on their local system and connect to the remote DNS server. William -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 07 December 2005 21:56 To: [email protected] Subject: [ActiveDir] DNS Question As I am getting ready to migrate a number of zones from a QIP DNS server to a Microsoft DNS server, I have a concern about giving support folks access to the DNS MMC. Some folks just need to be able to use the MMC to troubleshoot, so I thought I would give them "Read Only" access to DNS. I see dhcp and wins users (view only) but I do not see the same thing for DNS. I created a test user in the domain, I tried to start the DNS mmc and it told me that access was denied. I then went to the DNS server object and gave the user list and read access to the objects. To my surprise the test userid was able to add or delete DNS records in the AD DNS zone. It probably should not be a surprise since the zone is AD integrated and set to secure updates. I take it this means that as long as a user is a member of the domain, they CAN create and delete resource records in DNS. I take it all I did was expose the UI by giving the user read access to the objects. How do you mitigate this? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
