Created attachment 14813 [details]
Return access denied code
Connecting to Windows and attempting any DNS operations appears to trigger DCERPC faults with an unprivileged user. In Samba, we attempt to apply the operation and if they lack the sufficient LDAP privileges we error out (and often giving a bad error message).
More investigation is required into whether or not every operation is actually disallowed or what privileges are required. In the meantime, I've written a patch just to improve our error codes to show that the user got an obvious access denied (and samba-tool can also see the access denied), which it should hit in most cases.