|
|
Hi,
How do I let a non-administrator update a single Primary DNS zone? In this
case, adding the account to the DNS Admins group doesn't apply.
This is a Windows 2000 Server. It is part of our Active Directory domain,
but the zone in question is a standalone Primary, not AD-integrated. For
this reason, the method given in the DNS whitepaper at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/plan/w2kdns2.mspx
doesn't apply. For reference, the method is:
"By default the DNS Admins group has full control of all zones and records
in a Windows 2000 domain in which it is specified. In order for a user to be
able to enumerate zones in a specific Windows 2000 domain, the user (or a
group the user belongs to) must be enlisted in the DNS Admin group. At the
same time it is possible that a domain administrator(s) may not want to grant
such a high level of administration (full control) to all users listed in the
DNS administrator group. The typical case would be if a domain administrator
wanted to grant full control for a specific zone and read only control for
other zones in the domain to a set of users. Create the groups; Zone1Admins,
Zone2Admins, and so forth for the zones 1,2, and so on respectively. Then the
ACL for zone N will contain a group ZoneNAdmins with full control. At the
same time all the groups Zone1Admins, Zone2Admins, and so forth will be
included in the DNS Admins group. The DNS Admins group should have read
permission only. Since a zone's ACL always contains the DNS Admins group, all
users enlisted in the Zone1Admins, Zone2Admins, and so forth will have read
permission for all the zones in the Domain."
Thanks,
Gabriel
|
|
|