Service acccount permission to remote powershell to dns server on windows server 2012
Hello Friends, Hope everyone is doing well.
Let's start the topic. My client approached me to create an user id and grant him permission on particular DNS resources records/ Particular zone to modify /create/delete dns records through pssession. But he came with below conditions.
1) We will not add user in domain admin group.
2) We will not add user in dnsadmin group.
4)User should have modify /create/delete rights only on a particular zone.
It took lots of time to experiment and figure out what settings need to be done. I will share all the steps that you need to follow in-order to achieve this result. I will also share few screenshots for your understanding.
Steps:-
DC side
1) Create an user account in AD and add him in remote management users built-in group.
2) Grant read access on the dns server (Properties->Security) and grant special permission on the DNS zone (Write all properties, create all child objects and delete all child objects).
3) Grant all deny access on all other zones.
4)Provide full control on the root of wmi control. (PowerShell uses wmi control mechanism for remote execution)
Client/Member Server Side
1) Add the user in local Administrators group.
Bingo! You are good to go. Also just to clarify ,you can allow users to modify only specific DNS record/records by granting read-write permission to user only on those records exclusively. In this scenario you do not have to assign permission on the entire zone. But read only permission on dns server is necessary. Also grant all deny permission to user on all the zones.
User dns_remote added in local administrators group in member server from where the PowerShell session need to be taken.
User added in Remote Management Users built-in group in DC
Full permission on the root of WMI control. Grant permission as it is in the screenshot.
Make sure this name space and sub namespace selected.
Error You will get if do not have permission on WMI Control
Read permission on DNS server
Special permission on zone Fruit.com (User will create/modify records only under this zone)
Deny permission on all other zones
Sample PowerShell command outputs
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
Normal query
PS C:\Users\dns_remote> Get-DnsServerResourceRecord -ComputerName 192.168.198.137 -ZoneName fruit.com -RRType A
HostName RecordType Type Timestamp TimeToLive RecordData
-------- ---------- ---- --------- ---------- ----------
apple A 1 0 01:00:00 10.101.3.18
Banana A 1 0 01:00:00 10.101.3.20
Orange A 1 0 01:00:00 10.101.3.19
PS C:\Users\dns_remote> Get-DnsServerResourceRecord -ZoneName fruit.com -RRType A
HostName RecordType Type Timestamp TimeToLive RecordData
-------- ---------- ---- --------- ---------- ----------
banana A 1 0 01:00:00 10.101.3.20
Querying through remote powershell session
PS C:\Windows\system32> Enter-PSSession -ComputerName Blossom-DC-01 -Credential blossom\dns_remote
[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> Get-DnsServerResourceRecord -ZoneName fruit.com -RRType A
HostName RecordType Type Timestamp TimeToLive RecordData
-------- ---------- ---- --------- ---------- ----------
apple A 1 0 01:00:00 10.101.3.18
Banana A 1 0 01:00:00 10.101.3.20
Orange A 1 0 01:00:00 10.101.3.19
[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> Get-DnsServerResourceRecord -ZoneName fruit.com -RRType A -Name Banana
HostName RecordType Type Timestamp TimeToLive RecordData
-------- ---------- ---- --------- ---------- ----------
Banana A 1 0 01:00:00 10.101.3.20
[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> $oldobj
HostName RecordType Type Timestamp TimeToLive RecordData
-------- ---------- ---- --------- ---------- ----------
apple A 1 0 01:00:00 10.101.3.18
Banana A 1 0 01:00:00 10.101.3.20
Orange A 1 0 01:00:00 10.101.3.19
Now will will change the IPV4 address of the A recorf banana.fruit.com
[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> $oldobj = Get-DnsServerResourceRecord -ZoneName fruit.com -RRType A -Name Banana
[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> $newobj = $oldobj.Clone()
[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> $newobj.RecordData.IPV4Address = [ipaddress]'10.101.3.25'
[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> $oldobj
HostName RecordType Type Timestamp TimeToLive RecordData
-------- ---------- ---- --------- ---------- ----------
Banana A 1 0 01:00:00 10.101.3.20
[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> $newobj
HostName RecordType Type Timestamp TimeToLive RecordData
-------- ---------- ---- --------- ---------- ----------
Banana A 1 0 01:00:00 10.101.3.25
[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> Set-DnsServerResourceRecord -NewInputObject $newobj -OldInputObject $oldobj -ZoneName "fruit.com" -PassThru
[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> Get-DnsServerResourceRecord -ZoneName fruit.com -RRType A -Name Banana
HostName RecordType Type Timestamp TimeToLive RecordData
-------- ---------- ---- --------- ---------- ----------
Banana A 1 0 01:00:00 10.101.3.25
[Blossom-DC-01]: PS C:\Users\dns_remote\Documents>
Please comment if you have any other doubts. If you get benefited then give me a thumbs up.
Take care and stay safe. See you soon in next blog.
Posts
No comments:
Post a Comment