DNSAdmins Group Permissions

Archived from groups: microsoft.public.win2000.dns (More info?)


I recently added a user to the DNS Admins group on Win2003 AD
(native). Everything appears fine except for the fact that he must use
remote tools and the dns event viewer portion is apparently restricted
to this account. How can I give this user access to the dns event
viewer ONLY? The event viewer that is being used is the one that is
part of the dnsmgmt snap-in. DNS runs on many domain controllers so
access controll must be handled per domain and not per server. The
user can not belong to domain admins or any other group that elevates
permissions beyond that of dns capabilities.

2 answers Last reply
More about dnsadmins group permissions
  1. Archived from groups: microsoft.public.win2000.dns (More info?)

    Hello Tony,

    Thank you for choosing Microsoft and for using our Newsgroups. I have
    reviewed the information you have provided this far. My understanding of
    the issue is the following:

    You have a DNS Admin that you only want to have access to the DNS event


    The only way I know to allow this is to perform the steps below:

    Obtain DnsAdmins group SID and Create CustomerSD string

    1. Obtain the SID of the DnsAdmins group (use whoami.exe, getsid.exe from
    tools, etc.).

    2. Get the current "CustomSD" registry setting for the DNS Server Event
    In the registry editor, go to
    Copy the value of CustomSD regkey.

    The Security Descriptor for the log is specified by using Security
    Definition Language (SDDL) syntax. For more information about SDDL syntax,
    see the
    Platform SDK, or visit the Microsoft Web site at

    To construct an SDDL string, note that there are three distinct rights that
    to event logs: Read, Write, and Clear. These rights correspond to the
    bits in the access rights field of the ACE string: 1=Read, 2=Write, 4=Clear

    The following is a sample SDDL that shows the default SDDL string for the
    Server log.


    3. In a text editor such as Notepad, paste the value of CustomSD obtained
    Step2 and then append (A;;0x1;;;DnsAdmins_SID_from_Step1) to it. For
    example, if
    the DnsAdmins group SID is S-1-5-21-959043136-1542833493-4111446348-1106,
    append (A;;0x1;;;S-1-5-21-959043136-1542833493-4111446348-1106). This will
    Read rights to DnsAdmins group. To give Read and Clear rights, change 0x1
    to 0x5 -
    for example, (A;;0x5;;;S-1-5-21-959043136-1542833493-4111446348-1106).
    This is the
    new SDDL string which we will use later.

    a) Use Registry to set DNS Server Event Log security Locally (on a single

    WARNING: If you use Registry Editor incorrectly, you may cause serious
    that may require you to reinstall your operating system. Microsoft cannot
    that you can solve problems that result from using Registry Editor
    incorrectly. Use
    Registry Editor at your own risk.

    The security of DNS Server Event Log is configured locally through the
    values in
    the following registry key:

    Set this registry value to the new SDDL string.

    b) Use Group Policy to set DNS Server Event Log security for a Domain,
    Site, or
    Organizational Unit in Active Directory

    1. Back up the %windir%\Inf\Sceregvl.inf file to a known location.

    2. Use a text editor such as Notepad to open the Sceregvl.inf in the

    3. Add the following lines to the [Register Registry Values] section:

    ; Event Log - Dns Server

    4. Add the following lines to the [Strings] section:

    ; Event Log - Dns Server
    DnsCustomSD="Event Log: Dns Server Event Log Security Descriptor"

    5. Save the changes you made to the Sceregvl.inf file, and then run the
    scecli.dll" (without the quotation marks) command.

    6. Start Gpedit.msc, and then double-click the following branches to expand
    "Computer Configuration"
    "Windows Settings"
    "Security Settings"
    "Local Policies"
    "Security Options"

    7. View the right panel to ensure the new "Event Log" setting exists.

    Use Group Policy to set DNS Server Event Log security
    1. In the Active Directory Sites and Services snap-in or the Active
    Directory Users
    and Computers snap-in, right-click the object for which you want to set the
    and then click "Properties".

    2. Click the "Group Policy" tab.

    3. If you must create a new policy, click "New", and then define the
    policy's name.
    Otherwise, go to step 5.

    4. Select the policy that you want, and then click "Edit". The Local Group
    MMC snap-in appears.

    5. In the Group Policy MMC snap-in, double-click the following branches to
    "Computer Configuration"
    "Windows Settings"
    "Security Settings"
    "Local Policies"
    "Security Options"

    6. Double-click "Event Log: Dns Server Event Log Security Descriptor", type
    the new SDDL string, and then click "OK".

    Best Regards,

    James Raines
    Microsoft Corporation

    This posting is provided "AS IS" with no warranties, and confers no rights.
  2. Archived from groups: microsoft.public.win2000.dns (More info?)

    WOW! Thanks for taking the time to explain in such detail.
    Unfortunately, such a simple request will take a bit of work on my
    part. I will give this a try in a test environment. I hope Microsoft
    can address this issue in the future so that dns admins can administer
    dns AND look at the logs (dns event viewer) without such difficulty.

    Thanks again!
Ask a new question

Read More

Domain Event Viewer DNS Permissions Windows