While teaching the Windows Server 2008 Directory Services workshop this week a student asked me, “How can I grant access to the DNS MMC to a user that I don’t want to put into the DNS Admins group because I only want them to be able to view the contents of the zones?”   He mentioned that he had been looking for this solution off and on for about a year or so.    As it turns out, I’ve been asked a similar question by a few other customers in the past.   To help make it easier for others to find this same solution, I figured that it would be a good topic for a blog post.

DISCLAIMER:   This information is provided as-is with no warrantee expressed or implied.   To the best of my knowledge, the techniques included are not endorsed by the product group and nor supported by Microsoft.

Traditionally, to grant a user the ability to use the DNS Management MMC (DNSMgmt.msc) to view a Windows DNS server, the user had to be a member of an elevated group such as DNS Admins, Domain Admins, or Enterprise Admins.   The following steps will discuss how to grant access via the DNS Management MMC to a user that is not a member of these groups, nor has any elevated rights on the domain controllers with which DNS is installed.   These steps have not been validated against a DNS server that is not a domain controller.

I began by creating a user named Joe User (JLOLAB1\JoeUser) and granted the user rights to logon to a member server via RDP.   This member server has the DNS Management MMC already installed.   When Joe User launches the MMC and attempts to connect to the Domain Controller, he receives the error “Access is Denied” as illustrated below:

MMC_Access_Is_Denied

Clicking Yes brings me the MMC:

DNS_MMC_As_Non-Admin-Before

As you can see, he is unable to see any information about the DNS Server.

To allow this user the ability to access the DNS Server, I created a group that I called “DNS MMC Read” and placed the user into this group.   I then performed a logoff/logon and verified with “whoami /groups” that the user contains “DNS MMC Read” in its token.

GroupListing

At this point I begin the process of granting access to the MMC to this non-admin user.  

  1. I open the DNS Management MMC as a Domain Admin user.
  2. Right-click the server name and click “Properties”.
  3. Move to the “Security” tab.
  4. Click “Add” and enter in the group name “DNS MMC Read” and click “OK” to close the account selection window.
  5. You will then observe that the group now has the checkbox “Read” selected.   DNS_MMC_Properties
  6. Click “OK” to close the Properties window.

What happened in the background is that it granted this group Read permissions onto the object CN=MicrosoftDNS,CN=System,DC=lab1,DC=jlo:

View_MicrosoftDNS_Perms

Now when JoeUser connects with the DNS Management MMC he sees the following:

DNS_MMC_As_Non-Admin-After

This non-admin user is able to view the contents of the Forward and Reverse Lookup Zones.   He is able to view the properties of the server, but receives an “Access is Denied” error when attempting to change those settings.   He also receives an “Access is Denied” error while trying to view the Event Logs of the DNS server.    These “Access is Denied” errors are expected because the user only has read access to the zones, but not any additional permissions to the server.

I hope you found this post informative and can assist you with managing your DNS infrastructure.