diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java
index 78ebe6ee809..7b47bae4f25 100755
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@@ -26,6 +26,8 @@ import org.apache.cloudstack.api.BaseCmd;
 import org.springframework.stereotype.Component;
 
 import com.cloud.dc.DataCenter;
+import com.cloud.dc.DedicatedResourceVO;
+import com.cloud.dc.dao.DedicatedResourceDao;
 import com.cloud.domain.Domain;
 import com.cloud.domain.dao.DomainDao;
 import com.cloud.exception.PermissionDeniedException;
@@ -53,6 +55,8 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
     @Inject ProjectManager _projectMgr;
     @Inject ProjectAccountDao _projecAccountDao;
     @Inject NetworkModel _networkMgr;
+    @Inject
+    private DedicatedResourceDao _dedicatedDao;
     
     protected DomainChecker() {
         super();
@@ -238,6 +242,18 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
 			//if account is normal user
 			//check if account's domain is a child of zone's domain
             else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+                // if zone is dedicated to an account check that the accountId
+                // matches.
+                DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(zone.getId());
+                if (dedicatedZone != null) {
+                    if (dedicatedZone.getAccountId() != null) {
+                        if (dedicatedZone.getAccountId() == account.getId()) {
+                            return true;
+                        } else {
+                            return false;
+                        }
+                    }
+                }
                 if (account.getDomainId() == zone.getDomainId()) {
 					return true; //zone and account at exact node
                 } else {
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index befcf8dfee9..586b6d27b03 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -2498,11 +2498,21 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
              * List all resources due to Explicit Dedication except the
              * dedicated resources of other account
              */
-            if (domainId != null && account.getType() == Account.ACCOUNT_TYPE_ADMIN) { //
+            if (domainId != null) { //
                 // for domainId != null // right now, we made the decision to
-                // only
-                // / list zones associated // with this domain, private zone
+                // only list zones associated // with this domain, private zone
                 sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
+
+                if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+                    // accountId == null (zones dedicated to a domain) or
+                    // accountId = caller
+                    SearchCriteria<DataCenterJoinVO> sdc = _dcJoinDao.createSearchCriteria();
+                    sdc.addOr("accountId", SearchCriteria.Op.EQ, account.getId());
+                    sdc.addOr("accountId", SearchCriteria.Op.NULL);
+
+                    sc.addAnd("account", SearchCriteria.Op.SC, sdc);
+                }
+
             } else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
                 // it was decided to return all zones for the user's domain, and
                 // everything above till root
@@ -2534,6 +2544,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                 // remove disabled zones
                 sc.addAnd("allocationState", SearchCriteria.Op.NEQ, Grouping.AllocationState.Disabled);
 
+                // accountId == null (zones dedicated to a domain) or
+                // accountId = caller
+                SearchCriteria<DataCenterJoinVO> sdc2 = _dcJoinDao.createSearchCriteria();
+                sdc2.addOr("accountId", SearchCriteria.Op.EQ, account.getId());
+                sdc2.addOr("accountId", SearchCriteria.Op.NULL);
+
+                sc.addAnd("account", SearchCriteria.Op.SC, sdc2);
+
                 // remove Dedicated zones not dedicated to this domainId or
                 // subdomainId
                 List<Long> dedicatedZoneIds = removeDedicatedZoneNotSuitabe(domainIds);
diff --git a/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java b/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
index 081bc313fe0..db1cf90c843 100644
--- a/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
+++ b/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
@@ -114,6 +114,9 @@ public class DataCenterJoinVO extends BaseViewVO implements InternalIdentity, Id
     @Column(name = "affinity_group_uuid")
     private String affinityGroupUuid;
 
+    @Column(name = "account_id")
+    private long accountId;
+
 
     public DataCenterJoinVO() {
     }
@@ -315,4 +318,12 @@ public class DataCenterJoinVO extends BaseViewVO implements InternalIdentity, Id
     public String getAffinityGroupUuid() {
         return affinityGroupUuid;
     }
+
+    public long getAccountId() {
+        return accountId;
+    }
+
+    public void setAccountId(long accountId) {
+        this.accountId = accountId;
+    }
 }
diff --git a/setup/db/db/schema-412to420.sql b/setup/db/db/schema-412to420.sql
index ac3fae9751f..facfd534a9e 100644
--- a/setup/db/db/schema-412to420.sql
+++ b/setup/db/db/schema-412to420.sql
@@ -2348,6 +2348,7 @@ CREATE VIEW `cloud`.`data_center_view` AS
         domain.name domain_name,
         domain.path domain_path,
 		dedicated_resources.affinity_group_id,
+		dedicated_resources.account_id,
 		affinity_group.uuid affinity_group_uuid
     from
         `cloud`.`data_center`