none
Can we remove the Authenticated Users permission for DNS record Creataion RRS feed

  • Question

  • Hi experts,

    On our DNS server, " Authenticated Users " has " create child objects " permission on all Zones. I think This permission was given by long back. Now our managment have asked to remove all UNWANTED permission of users. 

    Due to this "Authenticated User " permission a normal domain user is able to create and delete records.

    1. I am going to remove this permission. Will domain machines update the DNS records dynamically ?

    Please suggest.

    Monday, November 17, 2014 2:52 PM

Answers

  • Hi,

    I am going to remove this permission. Will domain machines update the DNS records dynamically ?

    No, if we remove this permission, then domain machines cannot update DNS records dynamically.

    Best Regards,

    Amy

    Tuesday, November 18, 2014 9:57 AM
    Moderator
    1. Authenticated Users (e.g - computers uses this to register them self in dns - aka Dynamic DNS Update)
    2. Authenticated Users dose NOT have the rights to delete records, other than records they own, e.g. - records they have created.
    3. If you want to restrict the permissions for "DNS Admins" to being able to create and delete records, then you break the dynamic dns record registration, and no computers will register them self in DNS anymore. Is that what you want? 

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, November 19, 2014 1:41 AM
  • Greetings!

    Keep in mind that "Authenticated Users" permissions does not fall to the category of unwanted permissions. I believe management meant to remove the explicit user permission which had been assigned to a set of objects before. Removing "Authenticated Users" may lead to a difficult hours of troubleshooting later.

    Regards.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Tuesday, November 18, 2014 10:13 AM
    Moderator
  • Hi Christ,

    The computer should be able to register DNS records dynamically.

    My requirement is ,

    1. Domain users ( excluding "DNSadmin" groups ) should NOT be able to create or Delete the Zones and records

    2. Only "DNSadmin" group should have the permission to add/Delete Zones or static records Entries

    Please let me know for any more info


    You _CAN'T_ meet those requirements without breaking DDNS, as simple as that, either re-assessment the requirements or break DDNS.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Monday, November 24, 2014 11:21 AM

All replies

  • Hi,

    I am going to remove this permission. Will domain machines update the DNS records dynamically ?

    No, if we remove this permission, then domain machines cannot update DNS records dynamically.

    Best Regards,

    Amy

    Tuesday, November 18, 2014 9:57 AM
    Moderator
  • Greetings!

    Keep in mind that "Authenticated Users" permissions does not fall to the category of unwanted permissions. I believe management meant to remove the explicit user permission which had been assigned to a set of objects before. Removing "Authenticated Users" may lead to a difficult hours of troubleshooting later.

    Regards.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Tuesday, November 18, 2014 10:13 AM
    Moderator
  • Thanks.

    Then how do i RESTRICT domain users from creating or deleting the records. Only DNSadmin should have these rights of creation/deletion records and Zone.

    please suggest.

    Tuesday, November 18, 2014 11:15 AM
    1. Authenticated Users (e.g - computers uses this to register them self in dns - aka Dynamic DNS Update)
    2. Authenticated Users dose NOT have the rights to delete records, other than records they own, e.g. - records they have created.
    3. If you want to restrict the permissions for "DNS Admins" to being able to create and delete records, then you break the dynamic dns record registration, and no computers will register them self in DNS anymore. Is that what you want? 

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, November 19, 2014 1:41 AM
  • Hi Christ,

    The computer should be able to register DNS records dynamically.

    My requirement is ,

    1. Domain users ( excluding "DNSadmin" groups ) should NOT be able to create or Delete the Zones and records

    2. Only "DNSadmin" group should have the permission to add/Delete Zones or static records Entries

    Please let me know for any more info

    Thursday, November 20, 2014 7:38 AM
  • hi please suggest ......

    Monday, November 24, 2014 6:38 AM
  • Hi Christ,

    The computer should be able to register DNS records dynamically.

    My requirement is ,

    1. Domain users ( excluding "DNSadmin" groups ) should NOT be able to create or Delete the Zones and records

    2. Only "DNSadmin" group should have the permission to add/Delete Zones or static records Entries

    Please let me know for any more info


    You _CAN'T_ meet those requirements without breaking DDNS, as simple as that, either re-assessment the requirements or break DDNS.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Monday, November 24, 2014 11:21 AM
  • Ok 

    Thanks

    Tuesday, November 25, 2014 5:18 AM
  • I can sympathize with why you're looking for a way to lock this down. I looked into it too. There are some measures though that prevent most activity that might cause harm -- namely the ability to only add records you own and the inability to modify ones you do not. So for example, you cannot add an empty host record. You cannot add another host record where one already exists (creating <g class="gr_ gr_109 gr-alert gr_gramm Grammar multiReplace sel" data-gr-id="109" id="109">a RR.)</g> I've tried these scenarios. They seem to stick.


    ::marcus _ marcusoh.blogspot.com

    Wednesday, February 11, 2015 7:48 PM
  • In this case, shouldn't one replace Authenticated Users with Domain Computers security principal ?  That will certainly limit a person from adding DNS records and still allow computers to dynamically register their A and PTR records ?

    Additionally, create a security group <yourDomainCode or yourDomainNode> DNS Administrators and delegate rights and add admins who are allowed to create static entries.

    http://www.synergix.com contributor

    Saturday, February 18, 2017 6:31 AM