ERROR_ACCESS_DENIED 5 (00000005) when trying to use DNSCMD in a script

  • Thread starter Thread starter Al
  • Start date Start date
A

Al

I am trying to use dnscmd in a PHP script and I get the ERROR_ACCESS_DENIED
5 (00000005) . The only way to resolve it is by making IUSR a member of the
administrator group. I have already checked to see if the FileSystem
permissions are what is causing the problem but it was not. I am running
W2k Server with IIS

Any ideas please.
 
In
Al said:
I am trying to use dnscmd in a PHP script and I get the
ERROR_ACCESS_DENIED 5 (00000005) . The only way to resolve it is by
making IUSR a member of the administrator group. I have already
checked to see if the FileSystem permissions are what is causing the
problem but it was not. I am running W2k Server with IIS

Any ideas please.
Click to expand...

I don't know much about PHP development, but it sounds like you will need to
specify a specific account name to authenticate to perform what you are
trying to do. I believe you can do that in PHP, but I don't know how. Maybe
someone else can post that, or better, www.php.net has forums you can post
that question to and get a more qualified response.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Thanks for your reply,

I was testing the script on my laptop which is also running W2K Server
before testing it on the Production Server. On the laptop I have not setup
AD and not all the groups which are normally created such as DNSADMINS was
present, in order to make my script work I had to make the modifications
below which I found in the Security requirements of this page
http://www.serverobjects.com/comp/aspdns.htm Once these modifications were
done I was able to run the script and update my DNS

However, when I looked at the Production Server, all I had to do was to make
the IUSR account a member of the DNSADMINS group.


"Ace Fekay [MVP]"
 
Al said:
I am trying to use dnscmd in a PHP script and I get the ERROR_ACCESS_DENIED
5 (00000005) . The only way to resolve it is by making IUSR a member of
the
administrator group. I have already checked to see if the FileSystem
permissions are what is causing the problem but it was not. I am running
W2k Server with IIS

Any ideas please.
Click to expand...
What this script must do? Format disk c:?
Just publish it!
 
In
Al said:
Thanks for your reply,

I was testing the script on my laptop which is also running W2K Server
before testing it on the Production Server. On the laptop I have not
setup AD and not all the groups which are normally created such as
DNSADMINS was present, in order to make my script work I had to make
the modifications below which I found in the Security requirements of
this page http://www.serverobjects.com/comp/aspdns.htm Once these
modifications were done I was able to run the script and update my DNS

However, when I looked at the Production Server, all I had to do was
to make the IUSR account a member of the DNSADMINS group.
Click to expand...

I see. Will you be leaving the IUSR account part a member of DNSAdmins? That
would be a security concern.

Ace
 
Thanks for your reply Ace,

Do you know of a more secure way for me to be able to update the DNS records
for our clients. We need to be able to log into our customers machines
remotely, but since they have dynamic addresses we have written a script for
their machine to update our DNS server whenever their ip address changes.
 
In
Al said:
Thanks for your reply Ace,

Do you know of a more secure way for me to be able to update the DNS
records for our clients. We need to be able to log into our customers
machines remotely, but since they have dynamic addresses we have
written a script for their machine to update our DNS server whenever
their ip address changes.
Click to expand...

Have you looked into the DNS WMI providers and .NET? I know William Stacey,
MVP (if he reads this post), can help you with some suggestions. I believe
you can specify authentication thru the use of these methods to achieve a
secure connection.

Ace
 
hmmm. There are lots of interesting solutions available here. Any .Net
experence here or just PHP? Please outline the exact problem again so I can
get a good feel of what your doing and what some solutions could be. I read
the thread, but did not understand the problem domain exactly. Are web
services (i.e. WSE) an option? etc..
 
Al said:
I am trying to use dnscmd in a PHP script and I get the ERROR_ACCESS_DENIED
5 (00000005) . The only way to resolve it is by making IUSR a member of
the
administrator group. I have already checked to see if the FileSystem
permissions are what is causing the problem but it was not. I am running
W2k Server with IIS

Any ideas please.
Click to expand...

well as your web page is running as the IUSR account, the only way to do it
is not run it as the IUSR account. Not sure if this will work, but deny
anonymous access to the site so people have to log in. This may cause some
issues with delegation though, unless the DNS server is also hosting the web
site.

I think.
 
We need to be able to log into our clients computers remotely. However, the majority of them don't have static ip addresses which is why I am trying to implement a Dyanmic DNS type of service for these clients, so that we always know their ip addresses and are able to log into thei machines. In order to implement this I wrote a script which runs on the client's machine through Scheduler. This script is checking the ip address of the client's machine, and it would only contact our server when the machine's ip address has changed. On the server side I have a PHP script which runs DNSCMD to update the A records on the server. The problem I was having was when trying to run the script I would get the "ERROR_ACCESS_DENIED 5 (00000005)" error message

I am open to any other solutions, but the Web Services and .Net expertise is very little. This said if you have another more secure method in mind which would have to utilize Web Services, I am sure I can figure it out with a bit of studying.
 
I take the clients are not use your DHCP server to get their dynamic IPs? If they are, your DNS should have their updated IPs. If they get via their local ISP, then yes you probably need to update. I also take it that you want to login to user's machine even if they are not there to allow or disallow it. That is disturbing for many reasons but that is a policy decision. If they are there and "initiate" the request, then they can send the IP update at that point and you don't need an automated job.

Personally, I would use a WSE web service with one simple method such as UpdateIPAddress(string userName, string domainName, string newIP) Nice thing about WSE, is you can host it as a service using TCP only or behind IIS/HTTP and you can leverage much security stuff like WS-Security and WS-SecureConversation. You will have some learning curve to get up to speed on WSE, but is well worth it IMO. Naturally, the easy way is to also have WSE on the clients which requires .Net and WSE on the clients. If that can not be done, then some simple UDP binary message to a upd listener could be done pretty simply also. HTH

--
William Stacey, MVP
http://mvp.support.microsoft.com

We need to be able to log into our clients computers remotely. However, the majority of them don't have static ip addresses which is why I am trying to implement a Dyanmic DNS type of service for these clients, so that we always know their ip addresses and are able to log into thei machines. In order to implement this I wrote a script which runs on the client's machine through Scheduler. This script is checking the ip address of the client's machine, and it would only contact our server when the machine's ip address has changed. On the server side I have a PHP script which runs DNSCMD to update the A records on the server. The problem I was having was when trying to run the script I would get the "ERROR_ACCESS_DENIED 5 (00000005)" error message

I am open to any other solutions, but the Web Services and .Net expertise is very little. This said if you have another more secure method in mind which would have to utilize Web Services, I am sure I can figure it out with a bit of studying.
 
Any code samples would be greatly appreciated, especially for the client side, because .Net is not an option there. Also how much of a security risk is there to have the IUSR in the DNSADMINS group, i.e., how could someone expoit this risk?
I take the clients are not use your DHCP server to get their dynamic IPs? If they are, your DNS should have their updated IPs. If they get via their local ISP, then yes you probably need to update. I also take it that you want to login to user's machine even if they are not there to allow or disallow it. That is disturbing for many reasons but that is a policy decision. If they are there and "initiate" the request, then they can send the IP update at that point and you don't need an automated job.

Personally, I would use a WSE web service with one simple method such as UpdateIPAddress(string userName, string domainName, string newIP) Nice thing about WSE, is you can host it as a service using TCP only or behind IIS/HTTP and you can leverage much security stuff like WS-Security and WS-SecureConversation. You will have some learning curve to get up to speed on WSE, but is well worth it IMO. Naturally, the easy way is to also have WSE on the clients which requires .Net and WSE on the clients. If that can not be done, then some simple UDP binary message to a upd listener could be done pretty simply also. HTH

--
William Stacey, MVP
http://mvp.support.microsoft.com

We need to be able to log into our clients computers remotely. However, the majority of them don't have static ip addresses which is why I am trying to implement a Dyanmic DNS type of service for these clients, so that we always know their ip addresses and are able to log into thei machines. In order to implement this I wrote a script which runs on the client's machine through Scheduler. This script is checking the ip address of the client's machine, and it would only contact our server when the machine's ip address has changed. On the server side I have a PHP script which runs DNSCMD to update the A records on the server. The problem I was having was when trying to run the script I would get the "ERROR_ACCESS_DENIED 5 (00000005)" error message

I am open to any other solutions, but the Web Services and .Net expertise is very little. This said if you have another more secure method in mind which would have to utilize Web Services, I am sure I can figure it out with a bit of studying.
 
The IUSR group is member of the guest group and is designed to allow anonymous access (the world) to your webserver. No telling what the 'world' can exploit if added to the DNSAdmin group.

Ace
Any code samples would be greatly appreciated, especially for the client side, because .Net is not an option there. Also how much of a security risk is there to have the IUSR in the DNSADMINS group, i.e., how could someone expoit this risk?
 
Back
Top