Appendix: Least Privilege Setup

Article
05/12/2011

The Windows Server DNS Management Pack supports low-privilege monitoring scenarios through the use of the DNS action account. The following information details the exact permissions necessary and the steps to properly setup those permissions.

Note

Configuring least explicit DNS permissions is extremely difficult. Microsoft recommends that these steps be practiced in a lab setting before changing your production environment.

Unsupported Configurations

Because of DNS Server product limitations, least privilege scenario is not supported on domain-joined DNS servers that are not domain controllers.

Permission Summary

The action account requires the following permissions:

Logon local right
DNS Administrator group member
Full access to Operations Manager working directory
Event Log Readers group member
Performance Monitor Users group member
Windows Management Instrumentation (WMI) Read right
Full access to DNS Server service to DNSAdmins account
Full access to service control manager to DNSAdmins account

Logon Local Right Permissions

Setting logon local right permissions

Add the action account to the list of accounts in the Allow log on locally permission using gpedit.msc for workgroup mode servers or using Group Policy Management Console for domain-joined computers.
Edit the default Domain Controller Policy for DNS Servers hosted on domain controllers.

To locate the default Domain Controller Policy using the Group Policy Management Console, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignments.

DNS Administrator Permissions

Setting DNS Administrator permissions by adding the action account to the DNSAdmins group

Open Active Directory Users and Computers.
Open the Users folder.
Add the action account to the membership list.

Operations Manager Working Directory Permissions

Setting Operations Manager working directory permissions using Windows Explorer

Select the working directory. The default working directory is C:\Program Files\System Center Operations Manager 2007\Health Service State.

Tip

Required permissions include Read, Write, Execute, Create, and Delete in the folder, including all subfolders.

Event Log Read Permissions

Grant the action account Read permission to the event logs.

This can be done locally or through Group Policy.

See the article titled How to set event log security locally or by using Group Policy in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=121390) for instructions.

Performance Monitor Permissions

Setting Performance Monitor permissions by adding the action account to the Performance Monitor Users group

Open Active Directory Users and Computers.
Open the Built-in folder.
Add the action account to the membership list.

WMI Read Permissions

Setting WMI Read permissions

Grant the action account Read permission to the MicrosoftDNS section of the WMI repository.
Open wmimgmt.msc.
Right-click the root object.
Click Properties.
Click MicrosoftDNS.
Add the action account to the list of members.

DNS Server Service Permissions

Grant full permissions to the DNSAdmins group.

The following is an example of the syntax of the command:

sc sdset dns D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;action account SID);<existing permissions>.

To determine the existing permissions, start sc sdshow dns and record the results.

To determine the security identifier (SID) of the DNSAdmins group, copy and run the script in Appendix: Scripts in This Management Pack.

Example: sc sdset dns D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1038194580-2588225604-174952363-1107)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)

Service Control Manager Permissions