This is one of those points of confusion I kind of hope you experience. The reason: if you have your security set up properly, as soon as someone hears the words "domain controller," they will assume they don't have access and need to contact a member of the directory services team. However, checking the operating system version for all domain controllers in a domain is very simple for any user. Simply open Active Directory Users and Computers , right-click on the domain root, then select Change Domain Controller . The major version will be listed in the DC Version column. Change Domain Controller box in ADUC If the requester needs a more specific version, they can still look it up themselves. Back in ADUC, simply look up the computer object and go to the Operating System tab. It will have version and build info that can easily be translated with a quick online search. Domain controller computer object Doing these lookups doesn't require any elevated...

Background A very common request I get from business units (and end users, even) is to be granted read access to internal Microsoft DNS servers. I completely understand the motivation: it could be very convenient to be able to review both the existence and resolution data of DNS records. I mean, you can grant read-only access to a file share and a database, so you should be able to do the same for DNS, right? Unfortunately, it's not that simple, and for one main reason: Microsoft DNS security sucks. I'm not going to go into all the technical details here (may do a full post with all that later), but because of the way Microsoft has set up their default permissions, the security principal Authenticated Users can create and modify all records in any zone hosted by a Windows DNS server. This is to allow and enforce secure dynamic updates. However, the major takeaway for today's post is that anyone who is granted the ability to connect to a Windows DNS server via MMC can cr...