Sign in with
Sign up | Sign in
Your question

DNSAdmins Group Permissions

Last response: in Windows 2000/NT
October 13, 2004 5:26:18 PM

Archived from groups: microsoft.public.win2000.dns (More info?)


I recently added a user to the DNS Admins group on Win2003 AD
(native). Everything appears fine except for the fact that he must use
remote tools and the dns event viewer portion is apparently restricted
to this account. How can I give this user access to the dns event
viewer ONLY? The event viewer that is being used is the one that is
part of the dnsmgmt snap-in. DNS runs on many domain controllers so
access controll must be handled per domain and not per server. The
user can not belong to domain admins or any other group that elevates
permissions beyond that of dns capabilities.

October 14, 2004 5:02:40 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Hello Tony,

Thank you for choosing Microsoft and for using our Newsgroups. I have
reviewed the information you have provided this far. My understanding of
the issue is the following:

You have a DNS Admin that you only want to have access to the DNS event


The only way I know to allow this is to perform the steps below:

Obtain DnsAdmins group SID and Create CustomerSD string

1. Obtain the SID of the DnsAdmins group (use whoami.exe, getsid.exe from
tools, etc.).

2. Get the current "CustomSD" registry setting for the DNS Server Event
In the registry editor, go to
Copy the value of CustomSD regkey.

The Security Descriptor for the log is specified by using Security
Definition Language (SDDL) syntax. For more information about SDDL syntax,
see the
Platform SDK, or visit the Microsoft Web site at

To construct an SDDL string, note that there are three distinct rights that
to event logs: Read, Write, and Clear. These rights correspond to the
bits in the access rights field of the ACE string: 1=Read, 2=Write, 4=Clear

The following is a sample SDDL that shows the default SDDL string for the
Server log.

O:BAG:SYD:( D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A

3. In a text editor such as Notepad, paste the value of CustomSD obtained
Step2 and then append (A;;0x1;;;DnsAdmins_SID_from_Step1) to it. For
example, if
the DnsAdmins group SID is S-1-5-21-959043136-1542833493-4111446348-1106,
append (A;;0x1;;;S-1-5-21-959043136-1542833493-4111446348-1106). This will
Read rights to DnsAdmins group. To give Read and Clear rights, change 0x1
to 0x5 -
for example, (A;;0x5;;;S-1-5-21-959043136-1542833493-4111446348-1106).
This is the
new SDDL string which we will use later.

a) Use Registry to set DNS Server Event Log security Locally (on a single

WARNING: If you use Registry Editor incorrectly, you may cause serious
that may require you to reinstall your operating system. Microsoft cannot
that you can solve problems that result from using Registry Editor
incorrectly. Use
Registry Editor at your own risk.

The security of DNS Server Event Log is configured locally through the
values in
the following registry key:

Set this registry value to the new SDDL string.

b) Use Group Policy to set DNS Server Event Log security for a Domain,
Site, or
Organizational Unit in Active Directory

1. Back up the %windir%\Inf\Sceregvl.inf file to a known location.

2. Use a text editor such as Notepad to open the Sceregvl.inf in the

3. Add the following lines to the [Register Registry Values] section:

; Event Log - Dns Server

4. Add the following lines to the [Strings] section:

; Event Log - Dns Server
DnsCustomSD="Event Log: Dns Server Event Log Security Descriptor"

5. Save the changes you made to the Sceregvl.inf file, and then run the
scecli.dll" (without the quotation marks) command.

6. Start Gpedit.msc, and then double-click the following branches to expand
"Computer Configuration"
"Windows Settings"
"Security Settings"
"Local Policies"
"Security Options"

7. View the right panel to ensure the new "Event Log" setting exists.

Use Group Policy to set DNS Server Event Log security
1. In the Active Directory Sites and Services snap-in or the Active
Directory Users
and Computers snap-in, right-click the object for which you want to set the
and then click "Properties".

2. Click the "Group Policy" tab.

3. If you must create a new policy, click "New", and then define the
policy's name.
Otherwise, go to step 5.

4. Select the policy that you want, and then click "Edit". The Local Group
MMC snap-in appears.

5. In the Group Policy MMC snap-in, double-click the following branches to
"Computer Configuration"
"Windows Settings"
"Security Settings"
"Local Policies"
"Security Options"

6. Double-click "Event Log: Dns Server Event Log Security Descriptor", type
the new SDDL string, and then click "OK".

Best Regards,

James Raines
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
October 14, 2004 7:43:04 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

WOW! Thanks for taking the time to explain in such detail.
Unfortunately, such a simple request will take a bit of work on my
part. I will give this a try in a test environment. I hope Microsoft
can address this issue in the future so that dns admins can administer
dns AND look at the logs (dns event viewer) without such difficulty.

Thanks again!