DNSAdmins Group Permissions

  • Thread starter Thread starter Tony
  • Start date Start date
T

Tony

Hello,

I recently added a user to the DNS Admins group on Win2003 AD
(native). Everything appears fine except for the fact that he must use
remote tools and the dns event viewer portion is apparently restricted
to this account. How can I give this user access to the dns event
viewer ONLY? The event viewer that is being used is the one that is
part of the dnsmgmt snap-in. DNS runs on many domain controllers so
access controll must be handled per domain and not per server. The
user can not belong to domain admins or any other group that elevates
permissions beyond that of dns capabilities.

Thanks!!!
Tony
 
Hello Tony,

Thank you for choosing Microsoft and for using our Newsgroups. I have
reviewed the information you have provided this far. My understanding of
the issue is the following:

You have a DNS Admin that you only want to have access to the DNS event
logs.

RESOLUTION:
============

The only way I know to allow this is to perform the steps below:

Obtain DnsAdmins group SID and Create CustomerSD string
----------------------------------------------------------------------------
--------
-------------------------------------------

1. Obtain the SID of the DnsAdmins group (use whoami.exe, getsid.exe from
support
tools, etc.).

2. Get the current "CustomSD" registry setting for the DNS Server Event
Logs:
In the registry editor, go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\DNS
Server\CustomSD
Copy the value of CustomSD regkey.


The Security Descriptor for the log is specified by using Security
Descriptor
Definition Language (SDDL) syntax. For more information about SDDL syntax,
see the
Platform SDK, or visit the Microsoft Web site at
http://msdn.microsoft.com/library/en-us/security/security/security_descripto
r_string
_format.asp

To construct an SDDL string, note that there are three distinct rights that
pertain
to event logs: Read, Write, and Clear. These rights correspond to the
following
bits in the access rights field of the ACE string: 1=Read, 2=Write, 4=Clear

The following is a sample SDDL that shows the default SDDL string for the
DNS
Server log.

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A
;;0x7;;
;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)


3. In a text editor such as Notepad, paste the value of CustomSD obtained
from
Step2 and then append (A;;0x1;;;DnsAdmins_SID_from_Step1) to it. For
example, if
the DnsAdmins group SID is S-1-5-21-959043136-1542833493-4111446348-1106,
then
append (A;;0x1;;;S-1-5-21-959043136-1542833493-4111446348-1106). This will
give
Read rights to DnsAdmins group. To give Read and Clear rights, change 0x1
to 0x5 -
for example, (A;;0x5;;;S-1-5-21-959043136-1542833493-4111446348-1106).
This is the
new SDDL string which we will use later.



a) Use Registry to set DNS Server Event Log security Locally (on a single
machine)
----------------------------------------------------------------------------
--------
-------------------------------------------

WARNING: If you use Registry Editor incorrectly, you may cause serious
problems
that may require you to reinstall your operating system. Microsoft cannot
guarantee
that you can solve problems that result from using Registry Editor
incorrectly. Use
Registry Editor at your own risk.


The security of DNS Server Event Log is configured locally through the
values in
the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\DNS
Server\CustomSD

Set this registry value to the new SDDL string.



b) Use Group Policy to set DNS Server Event Log security for a Domain,
Site, or
Organizational Unit in Active Directory
----------------------------------------------------------------------------
--------
-------------------------------------------

1. Back up the %windir%\Inf\Sceregvl.inf file to a known location.

2. Use a text editor such as Notepad to open the Sceregvl.inf in the
%windir%\Inf
folder.

3. Add the following lines to the [Register Registry Values] section:

; Event Log - Dns Server
MACHINE\System\CurrentControlSet\Services\Eventlog\DNS
Server\CustomSD,1,%DnsCustomSD%,2

4. Add the following lines to the [Strings] section:

; Event Log - Dns Server
DnsCustomSD="Event Log: Dns Server Event Log Security Descriptor"


5. Save the changes you made to the Sceregvl.inf file, and then run the
"regsvr32
scecli.dll" (without the quotation marks) command.

6. Start Gpedit.msc, and then double-click the following branches to expand
them:
"Computer Configuration"
"Windows Settings"
"Security Settings"
"Local Policies"
"Security Options"

7. View the right panel to ensure the new "Event Log" setting exists.



Use Group Policy to set DNS Server Event Log security
------------------------------------------------------
1. In the Active Directory Sites and Services snap-in or the Active
Directory Users
and Computers snap-in, right-click the object for which you want to set the
policy,
and then click "Properties".

2. Click the "Group Policy" tab.

3. If you must create a new policy, click "New", and then define the
policy's name.
Otherwise, go to step 5.

4. Select the policy that you want, and then click "Edit". The Local Group
Policy
MMC snap-in appears.

5. In the Group Policy MMC snap-in, double-click the following branches to
expand
them:
"Computer Configuration"
"Windows Settings"
"Security Settings"
"Local Policies"
"Security Options"

6. Double-click "Event Log: Dns Server Event Log Security Descriptor", type
the new SDDL string, and then click "OK".



Best Regards,

James Raines
Microsoft Corporation
 
WOW! Thanks for taking the time to explain in such detail.
Unfortunately, such a simple request will take a bit of work on my
part. I will give this a try in a test environment. I hope Microsoft
can address this issue in the future so that dns admins can administer
dns AND look at the logs (dns event viewer) without such difficulty.

Thanks again!
Tony
 
Back
Top