Active Directory DDNS security delegation question

Toggle sidebar Toggle sidebar
D

Duncan

Distinguished
Apr 27, 2004
48
0
18,530
Archived from groups: microsoft.public.win2000.dns (More info?)

I need to be able to delegate the deletion of records to a group in
our organization that manages servers. These users are not domain
admins. I know that there is a DNS Administrators group, but that
grants WAY too much. I looked through all of the security priciples on
the objects for the zone, but could find nothing that made sense to
me. Nothing that I could attach to allowing only record deletion.

Is there any way to do this? if not, is there some combination of
limited rights that could come close?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

"" wrote:
> I need to be able to delegate the deletion of records to a
> group in
> our organization that manages servers. These users are not
> domain
> admins. I know that there is a DNS Administrators group, but
> that
> grants WAY too much. I looked through all of the security
> priciples on
> the objects for the zone, but could find nothing that made
> sense to
> me. Nothing that I could attach to allowing only record
> deletion.
>
> Is there any way to do this? if not, is there some combination
> of
> limited rights that could come close?

also remember that if you allow to delete records problems could occur
if the wrong records are deleted.

what is the reason behind this delegating question?

do you want to remove records from servers and/or clients that do not
exist anymore? If so you might want to enable DNS SCAVENGING
look at: http://myitforum.techtarget.com/articles/16/view.asp?id=6287

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/DNS-Active-Directory-security-delegation-ftopict418023.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1397426
 
D

Duncan

Distinguished
Apr 27, 2004
48
0
18,530
Archived from groups: microsoft.public.win2000.dns (More info?)

I am using scavenging now, but mandated at intervals that do not help
with the problem we see. The reason for this is that we have server
engineers who may have to rebuild servers that they can not unjoin
from the domain for one reason or another.

I am aware that they can remove undesired records, but ddns re-created
them anyway. We have very few and tightly controlled static entries
that could be easily recreated if needed.

It is a risk that is acceptable for this group, but I do not want to
add to that risk the possibility for them to create or delete zones or
any other functions. If possible, I do not want them creating records
either.


>
>also remember that if you allow to delete records problems could occur
>if the wrong records are deleted.
>
>what is the reason behind this delegating question?
>
>do you want to remove records from servers and/or clients that do not
>exist anymore? If so you might want to enable DNS SCAVENGING
>look at: http://myitforum.techtarget.com/articles/16/view.asp?id=6287
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom