Locking down permissions on DNS and DHCP

Is there a way to limit access to DNS and DHCP servers from Domain admins on the Windows network? I want specific domain admins access to these services and others no access.
Thomas NSystems Analyst - Windows System AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Yes, using the standard consoles you can edit each DHCP server/scope and each DNS server/zone with the appropriate read/write permissions as needed. I wouldn't remove read permission from them if I were you unless you know you really want to do that though!

Also, it might make long term management a bit easier to follow the AGDLP security structure that Microsoft recommend.


http://technet.microsoft.com/en-us/library/dd759157.aspx   (DHCP)

http://www.pearsonitcertification.com/articles/article.aspx?p=102617&seqNum=6    (DNS - lots of useful stuff, scroll down for your specific questions, section 3)
SandeshdubeySenior Server EngineerCommented:
Why you have added user to domain admin if you want to restrict them.I will recommend to remove the users from admin group.If you want delegate some basic activity to be perfrom on AD you need to delegate control as per requirement.You can also prevent them to login to DC by installing RSAT(Win7) or admin pak(WinXP) on there cleitn computer.

How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986

Best Practices for Delegating Active Directory Administration  http://www.microsoft.com/en-us/download/details.aspx?

You can apply deny permision to dhcp and dns in security permission to user in question but i will not recommend the same.Instead remove the users from admin group.You can also enable auditing to track the activity of users.http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

Hope this helps

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.