No announcement yet.

Rights to view DNS

  • Filter
  • Time
  • Show
Clear All
new posts

  • Rights to view DNS


    I am trying to give view/read rights to dns for non administrators.

    so far I tried

    Right click the server, security tab and add the user account and gave read permission.
    This gave them rights to even create records.

    I also tried special permissions - list contents, with this no rights were given, the user cannot see the dns?

    any clues?


  • #2
    Re: Rights to view DNS

    Suggested reading:
    Best Practices for Delegating Active Directory Administration and Best Practices for Delegating Active Directory Administration Appendices (this is where the actual details are)

    btw, if the zone has Secure DDNS enabled, all the authenticated accounts are allowed to create child objects in the zone. This is rather expected, if you think of it

    Why would you want to give someone such a level of access ?
    Is there anything that can not be done using standard DNS client utilities like nslookup/dig/etc... ?
    The only difference I can think of is the ability to enumerate all the records in a given zone - something that can be proxied via a dedicated service account and the result exported to a text file or something similar (you can wrap the task with CPAU )
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      Re: Rights to view DNS

      I suggest you enable secure updates only, you can use the delegation of control wizzard I think to do this, assigning those you wish read only access.