While attempting to delegate administration of a DNS zone, I stumbled on an issue that is apparently granting a random subset of users full control of my entire domain.
My domain consists of (3) Windows Server 2012 DCs. Let's call them DC1, DC2 & DC3.
The steps I took:
1.) I created a new DNS zone called dev.domain.com on DC1 and verified replication to DC2 & DC3
2.) I created a group called devdnsadmins and added it to the ACL on dev.domain.com with Full Control
3.) I added devdnsadmins to the ACL on DC1, DC2 & DC3 (via the DNS MMC on my PC) with Read
4.) I had a member of devdnsadmins test creating a record in dev.domain.com. Result: success.
5.) I had the same user test creating a record in domain.com. Result: success.
6.) I checked the user's effective permissions on DC1, DC2 & DC3 (via the DNS MMC on my PC). User has full access.
7.) I performed the same check running the DNS MMC on each DC. The DCs each report user only has list access.
8.) I copied the user and began removing group memberships from the copy, checking the effective rights after each removal. Result: no change, copy of user still has full access.
9.) (It gets worse...) I thought maybe it was somehow inheriting the permission from elsewhere, so I opened ADUC and began poking around. If I check the effective permissions on the root of the domain, each DC reports the user having limited access, my PC reports full access and, the worst part, testing bears out that my PC is correct and the DCs are wrong. The user can make changes...
I don't know where to go from here. I'm asking my boss to authorize the charge to call Microsoft. Any ideas?