Creating a group of DNS users (allow creating of records but nothing else)

I would like to create a group in AD that allows a particular set of users to create records in DNS but not delete or change anything else such as forwarders, etc... they would only have access to create a record.

Is this possible?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Here is a link to the specific permissions and default groups for DNS updates:

You can also take a look at the link below on steps to change DNS permissions:

I would simply in your case create a new group and assign the relevant permissions, users in that group should be able to write and delete the records they create but no other records in the zone.

You may also want to look into auditing zone / record deletion:
This is possible.
All you need to do,
Create one global security group in domain
Add all required users in this group
Go to dns management console on any one DC, and go to dns server properties\security tab
add above group there, the default Read permission will be set automatically and that's all
Now you can access dns management console from any workstation with RSAT with delegated user logon or directly logon to DC with delegated users, they will be able to add resource records, CNAME records, PTR records and will get permissions to delete only those records which they have created
They can't delete other records created by other admins \ delegated users
Infact they can't change any other server configuration

Note that do not add above group to any high privilege group such as dns admins etc

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mahesh can you tell me what you said in your post that I did not ?

I think I indicated permissions and default roles the same idea you advanced of having a specific group and even suggested auditing.

Just trying to be sure if you added something that was not already suggested.

What I have suggested is exact \ specific answer the author is looking for I think.

The articles you referred are talking about DnsAdmins group, also if you look at my comment, I am talking about the *server* level permissions and not zone level permissions, infact simply adding zone level permissions won't let user to connect to dns management console. Adding permissions to server level is important here.

The important fact here is, just adding group on DNS server level automatically grant default read permissions. and No need to provide *relevant* permissions on zone level like you said in your comment
The default read permission will take care of adding and deleting records for respective users

If author thinks that there is no difference between both comments and if he got what he need from your comment, he will grant you full points, i don't have any issues for that.
rssystemsAuthor Commented:
Thanks everyone for your help... I created the security group, added a test account.  I added the group as suggested to DNS > properties > security and  confirmed it only gives read only.  I then was able to access DNS via MMC > DNS.  Tested creating a record and worked, Deleted the record successfully.  I tried to delete other records and received access denied which is as described and what I needed.  I then tried to create a forwarder and it appears to almost let you > it allows you to actually add the forwarder but as soon as you hit apply -- access denied.

Works perfect... thanks everyone,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.