none
Script a tool for non-sys admin users to modify DNS Records in AD

    Question

  • Our primary goal is to provide a tool/utility that will allow a couple of Operations users (that don't System Administrator access to our AD servers) to change the IP address of a single DNS A Record easily and without affecting any other DNS records or configuration settings. This if for a Windows 2008 R2 DNS server. We would prefer to give them a tool to simply toggle the IP address between a couple of IP addresses, without installing the Server Admin Tools and allowing to use the MMC admin console to perform this function.

    I've developed a VBScript script to perform this function, however, since it utilizes WMI, they would need admin access to the DNS Server (which is also a Domain Controller). I have not found a way to programmatically change DNS Server settings using ADSI, which would allow just their AD credentials.

    I'm not necessarily against using the DNSCmd tool and wrapping it with a script that, again, just allows them to change the one A Record between the two IP addresses, but I see from this TechNet web page that apparently it also requires local administrator privileges on the DNS server.

    We see many different permissions on the DNS server that might allow the VBScript WMI calls [Set objDNS = GetObject("winMgmts:\\" & strDNSServer & "\root\MicrosoftDNS")] to access maybe without adding these users' AD accounts to the local Administrators or Server Operators group on the DNS server - something we don't want to do. We see WMI security permissions on the server - even referencing the MicrosoftDNS object, and many others.

    Here's the VBScript:

    Set objDNS = GetObject("winMgmts:\\" & strDNSServer & "\root\MicrosoftDNS")
    Set objRR = objDNS.ExecQuery("SELECT * FROM MicrosoftDNS_ResourceRecord" & _
    		" WHERE ContainerName='" & strDomainName & "' AND OwnerName='" & strOwnerName & "'",,48)
    
    For Each objRR2 In objRR
    	Select Case objRR2.IPAddress
    		Case strIPAddress1
    			strRR = strOwnerName & ". IN A " & strIPAddress2
    			intResponse = MsgBox("The """ & strOwnerShortName & """ DNS Record is currently set to the """ & objRR2.IPAddress & """ IP address." & vbCRLF & vbCRLF & _
    					"Would you like to change the IP address to """ & strIPAddress2 &  """?", vbYesNo + vbQuestion, strTitle & " v" & strVersion)
    		Case strIPAddress2
    			strRR = strOwnerName & ". IN A " & strIPAddress1
    			intResponse = MsgBox("The """ & strOwnerShortName & """ DNS Record is currently set to the """ & objRR2.IPAddress & """ IP address." & vbCRLF & vbCRLF & _
    					"Would you like to change the IP address to """ & strIPAddress1 &  """?", vbYesNo + vbQuestion, strTitle & " v" & strVersion)
    	End Select
    	
    	Select Case intResponse
    		Case vbYes
    			' Delete the current A record from AD
    			objRR2.Delete_
    		Case vbNo
    			' Exit the script with error status = 1
    			WScript.Quit(1)
    	End Select
    Next
       
    ' Create the new A record
    Set objRR = objDNS.Get("MicrosoftDNS_ResourceRecord")
    
    strNull = objRR.CreateInstanceFromTextRepresentation( _
                      strDNSServer, _
                      strDomainName, _
                      strRR, _
                      objOutParam)       
       
    Set objRR2 = objDNS.Get(objOutParam)
    
    MsgBox "The """ & Mid(objRR2.OwnerName, 1, Instr(objRR2.OwnerName, ".") - 1) & """ DNS Record is now set to the """ & objRR2.IPAddress & """ IP address.", vbOKOnly + vbInformation, strTitle & " v" & strVersion
    
    ' Cleanup
    Set objOutParam = Nothing
    Set objRR2 = Nothing
    Set objRR = Nothing
    Set objDNS = Nothing
    

    Can someone please assist us with setting the proper security permissions to allow our VBScript to use the DNS WMI functions with these non-system admin AD accounts?

    Any and all assistance is greatly appreciated!

    Thursday, December 13, 2012 7:32 PM

Answers

  • I kind of like the scheduled task method because there's no permissions to clean up if you discontinue the process.  Delete the scheduled task, and you're done.  All the permission assignments went away with the task.

    Beyond that, it's more restrictive.  You can script a process that will make specific changes to an object, and then assign permissions to the process, and they can only effect those changes.  If you assign permissions to the object, they can make arbitrary changes.

    IMHO


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "



    Thursday, December 13, 2012 11:37 PM

All replies

  • Do you happen to have a SCORCH server?


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Thursday, December 13, 2012 7:40 PM
  • I'm sorry, but I don't know what a SCORCH server is.
    Thursday, December 13, 2012 7:48 PM
  • System Center Orchestrator. 

    You can create this kind of task as a runbook that's executed under admin authority, and then grant arbitrary (non-admin) users permissions to run that runbook script.  It even provides you with a web interface for them to run it from.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Thursday, December 13, 2012 8:15 PM
  • DNS records have security descriptors.  You can just add the users to the permissions for the record and they will be able to change it.

    http://technet.microsoft.com/en-us/library/cc732514.aspx

    You can then just give the users access to DNSCMD and they can edit the record.  Use a batch file to alter the commandline arguments as needed.  YOu could also just install the DNS GUI tool for the users as it is more friendly.


    ¯\_(ツ)_/¯

    Thursday, December 13, 2012 8:44 PM
  • Hi mjolinor,

    No, we don't use System Center. I'm trying to think about how I might could implement the same thing using VBScript or AutoIt.

    Thursday, December 13, 2012 9:14 PM
  • Hi jrv,

    I'll look more into the DACL information that you provided a link to. I'm still trying to find a way to install the DNSCmd utility on a Win7 PC so I can test it, but I'm concerned that this won't get me any further than VBScript/WMI based on these requirements from this TechNet page (especially the italicized information below):

    Source Computer Requirements

    The following are the system requirements for the source computer:

    Dnscmd.exe

    User's membership in the Administrators or Server Operators group on the target computer. Both the user account and the server computer must be members of the same domain or reside within trusted domains.

    In addition, we would rather not have to install the DNS GUI tool and allow them to see all of the DNS Zones and Records - we'd prefer to provide them with this "dummy proof tool" that will only do what we are coding it to do.


    Thursday, December 13, 2012 9:22 PM
  • I've done similar things in the past using scheduled tasks, creating the task to run under an admin ID, and then giving the user permission to run the task on demand.

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Thursday, December 13, 2012 9:29 PM
  • With DNS we do not need to do that.  Just delegate the permisison on the resource record to a group and add the members to teh group. It is the BP method.

    I know all of you old farts klike to do things the old fashioned way but I am way older than you and still see nothing to be gained by doing things the hard way.

    ;)


    ¯\_(ツ)_/¯


    • Edited by jrv Thursday, December 13, 2012 10:19 PM
    Thursday, December 13, 2012 10:19 PM
  • I kind of like the scheduled task method because there's no permissions to clean up if you discontinue the process.  Delete the scheduled task, and you're done.  All the permission assignments went away with the task.

    Beyond that, it's more restrictive.  You can script a process that will make specific changes to an object, and then assign permissions to the process, and they can only effect those changes.  If you assign permissions to the object, they can make arbitrary changes.

    IMHO


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "



    Thursday, December 13, 2012 11:37 PM
  • Hi mjolinor,

    I'm very intrigued by your suggested solution. How would you suggest I go about implementing your solution? How would I grant the user permissions to execute the on-demand script on the server, and how could I pass information to the user (it worked or there was an error)?

    Monday, December 17, 2012 9:40 PM