Delegate permissions on AD integrated DNS zone

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

As the delegation on an AD integrated zone isn't a
standard feature, you'd expect this to be manageable by
setting specific ACL's on the zone... however I'm kinda
stuck.

I've created an extra zone on my W2K DNS serving DC. I
want to delegate some permissions on this zone to a
security group (e.g. DnsLocalAdmins). I give this group
Full Control on the AD-integrated zone. When I have set
these rights they are able to create, modify or delete
records and sub-dns domains), wonderfull!. However, I do
not want these admins to have the right to delete the
zone, change permissions or modify the owner of the zone.
So, I set additional deny permissions for this group on
the ACL of the zone ('Delete', 'Modify Permissions'
and 'Modify Owner'). After having done that the
DnsLocalAdmins-group have no Access at all to perform any
action in the zone (Access Denied on every action). They
can't even reload the zone.

It seems like there is no in-between. It's either full-
control or no Access at all.

Anybody excperienced this? And is there a way around this
or do I need to write my own interface to make this
possible?

many thanks in advance.
grtz Y
 
In
Hello,

As the delegation on an AD integrated zone isn't a
standard feature, you'd expect this to be manageable by
setting specific ACL's on the zone... however I'm kinda
stuck.

I've created an extra zone on my W2K DNS serving DC. I
want to delegate some permissions on this zone to a
security group (e.g. DnsLocalAdmins). I give this group
Full Control on the AD-integrated zone. When I have set
these rights they are able to create, modify or delete
records and sub-dns domains), wonderfull!. However, I do
not want these admins to have the right to delete the
zone, change permissions or modify the owner of the zone.
So, I set additional deny permissions for this group on
the ACL of the zone ('Delete', 'Modify Permissions'
and 'Modify Owner'). After having done that the
DnsLocalAdmins-group have no Access at all to perform any
action in the zone (Access Denied on every action). They
can't even reload the zone.

It seems like there is no in-between. It's either full-
control or no Access at all.

Anybody excperienced this? And is there a way around this
or do I need to write my own interface to make this
possible?

many thanks in advance.
grtz Y
Click to expand...

Haven't messed with it, by try to specifically specify what permissions they
need by going into the Advanced button to get into the ACE's and the
respective permission entries instead of using Deny in the Standard
Permissions in the ACL. Deny can be a powerful setting and will override any
other settings.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Thanks Ace,

I've tried that, doesn't make any difference. By the way,
I've used the deny for many other purposes in exactly the
same manner when delegating permissions (GPO's, OU's,
Groups). This never caused any problems in AD. But even
with specific permissions (without the deny) delegating
permissions on the dns-zone isn't possible (Access Denied
on every modification). The group has almost Full Control
without just the 'modify permission' and 'modify owner'
(to prevent them from elevating their rights).
It is realy strange, if I set the permissions to have
full control on the child objects and then logon as one
of the delegates, I can see that I have full control (in
the permissions security tab). But when I want to delete
a dns-record it says 'Access Denied' (this is without the
deny)...?

If anyone has a sollution on how to delegate specific
permissions (instead of 'full control')on AD integrated
DNS zones, please respond.
 
In
Thanks Ace,

I've tried that, doesn't make any difference. By the way,
I've used the deny for many other purposes in exactly the
same manner when delegating permissions (GPO's, OU's,
Groups). This never caused any problems in AD. But even
with specific permissions (without the deny) delegating
permissions on the dns-zone isn't possible (Access Denied
on every modification). The group has almost Full Control
without just the 'modify permission' and 'modify owner'
(to prevent them from elevating their rights).
It is realy strange, if I set the permissions to have
full control on the child objects and then logon as one
of the delegates, I can see that I have full control (in
the permissions security tab). But when I want to delete
a dns-record it says 'Access Denied' (this is without the
deny)...?

If anyone has a sollution on how to delegate specific
permissions (instead of 'full control')on AD integrated
DNS zones, please respond.
Click to expand...


Hmm, then I'm not entirely sure. Maybe someon else will offer a suggestion
here.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top