Appendix: Least Privilege Setup

The Windows Server DNS Management Pack supports low-privilege monitoring scenarios through the use of the DNS action account. The following information details the exact permissions necessary and the steps to properly setup those permissions.

Because of DNS Server product limitations, least privilege scenario is not supported on domain-joined DNS servers that are not domain controllers.

The action account requires the following permissions:

• Logon local right

• DNS Administrator group member

• Full access to Operations Manager working directory

• Event Log Readers group member

• Performance Monitor Users group member

• Windows Management Instrumentation (WMI) Read right

• Full access to DNS Server service to DNSAdmins account

• Full access to service control manager to DNSAdmins account

1. Add the action account to the list of accounts in the Allow log on locally permission using gpedit.msc for workgroup mode servers or using Group Policy Management Console for domain-joined computers.

2. Edit the default Domain Controller Policy for DNS Servers hosted on domain controllers.

To locate the default Domain Controller Policy using the Group Policy Management Console, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignments.

1. Open Active Directory Users and Computers.

2. Open the Users folder.

3. Add the action account to the membership list.

• Select the working directory. The default working directory is C:\Program Files\System Center Operations Manager 2007\Health Service State.

  Tip

  Required permissions include Read, Write, Execute, Create, and Delete in the folder, including all subfolders.

Grant the action account Read permission to the event logs.

This can be done locally or through Group Policy.

See the article titled How to set event log security locally or by using Group Policy in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=121390) for instructions.

1. Open Active Directory Users and Computers.

2. Open the Built-in folder.

3. Add the action account to the membership list.

1. Grant the action account Read permission to the MicrosoftDNS section of the WMI repository.

2. Open wmimgmt.msc.

3. Right-click the root object.

4. Click Properties.

5. Click MicrosoftDNS.

6. Add the action account to the list of members.

Grant full permissions to the DNSAdmins group.

The following is an example of the syntax of the command:

• sc sdset dns D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;action account SID);<existing permissions>.

To determine the existing permissions, start sc sdshow dns and record the results.

To determine the security identifier (SID) of the DNSAdmins group, copy and run the script in Appendix: Scripts in This Management Pack.

Example: sc sdset dns D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1038194580-2588225604-174952363-1107)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)

Grant full permissions to the DNSAdmins group.

The following is an example of the syntax of the command:

sc sdset scmanager D:(A;;0xF003F;;;action account SID);<existing permissions>.

To determine the existing permissions, start sc sdshow scmanager and record the results.

To determine the SID of the DNS Admins group, copy and run the script in Appendix: Scripts in This Management Pack.

Example: sc sdset scmanager D:(A;;0xF003F;;;S-1-5-21-1038194580-2588225604-174952363-1107)(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)