Active Directory Cookbook for Windows Server 2003 and Windows 2000-Active Directory Cookbook for Windows Server 2003 and Windows 2000

[ Team LiB ]

Recipe 13.6 Delegating Control of a Zone

13.6.1 Problem

You want to delegate control of managing the resource records in a zone.

13.6.2 Solution

13.6.2.1 Using a graphical user interface

Open the DNS Management snap-in.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.
Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones depending on the type of zone.
Click on the name of the zone.
Right-click on the zone and select Properties.
Click on the Security tab.
Click the Add button.
Use the Object Picker to locate the user or group to which you want to delegate control.
Under Permissions, check the Full Control box.
Click OK.

13.6.2.2 Using a command-line interface

The following command grants full control over managing the resource records in an AD-Integrated zone:

> dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G[RETURN]
 <UserOrGroup>:GA;;

13.6.2.3 Using VBScript

' This code grants full control for the specified user or group over
' an AD-Integrated zone.
' ------ SCRIPT CONFIGURATION ------
strZoneDN = "dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN>"
strUserOrGroup = "<UserOrGroup>"  ' e.g. joe@rallencorp.com or RALLENCORP\joe
' ------ END CONFIGURATION ---------

set objZone = GetObject("LDAP://" & strZoneDN)
'############################
' Constants
'############################

' ADS_ACETYPE_ENUM
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5

' ADS_FLAGTYPE_ENUM
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1

' ADS_RIGHTS_ENUM
Const ADS_RIGHT_GENERIC_ALL = &h10000000

'############################
' Create ACL
'############################

set objSD = objZone.Get("ntSecurityDescriptor")
set objDACL = objSD.DiscretionaryAcl

' Full Control
set objACE1 = CreateObject("AccessControlEntry")
objACE1.Trustee    = strUserOrGroup
objACE1.AccessMask = ADS_RIGHT_GENERIC_ALL
objACE1.AceFlags   = 0
objACE1.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE1.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objDACL.AddAce objACE1

'############################
' Set ACL
'############################
objSD.DiscretionaryAcl = objDACL
objZone.Put "ntSecurityDescriptor", objSD
objZone.SetInfo
WScript.Echo "Delegated control of " & strZoneDN & " to " & strUserOrGroup

13.6.3 Discussion

By default, members of the DNSAdmins group have control over DNS server and zone configuration. You can delegate control of individual AD-integrated zones by modifying permissions on the zone object in AD. The solutions show examples for how to grant Full Control to a user or group over a particular zone.

13.6.4 See Also

MS KB 256643 (Unable to Prevent DNS Zone Administrator from Creating New Zones)

[ Team LiB ]