Creating a group of DNS users (allow creating of records but nothing else)

Posted on 2014-08-07
Last Modified: 2014-08-13
I would like to create a group in AD that allows a particular set of users to create records in DNS but not delete or change anything else such as forwarders, etc... they would only have access to create a record.

Is this possible?

Question by:rssystems
    LVL 28

    Expert Comment

    Here is a link to the specific permissions and default groups for DNS updates:

    You can also take a look at the link below on steps to change DNS permissions:

    I would simply in your case create a new group and assign the relevant permissions, users in that group should be able to write and delete the records they create but no other records in the zone.

    You may also want to look into auditing zone / record deletion:
    LVL 34

    Accepted Solution

    This is possible.
    All you need to do,
    Create one global security group in domain
    Add all required users in this group
    Go to dns management console on any one DC, and go to dns server properties\security tab
    add above group there, the default Read permission will be set automatically and that's all
    Now you can access dns management console from any workstation with RSAT with delegated user logon or directly logon to DC with delegated users, they will be able to add resource records, CNAME records, PTR records and will get permissions to delete only those records which they have created
    They can't delete other records created by other admins \ delegated users
    Infact they can't change any other server configuration

    Note that do not add above group to any high privilege group such as dns admins etc
    LVL 28

    Expert Comment

    Mahesh can you tell me what you said in your post that I did not ?

    I think I indicated permissions and default roles the same idea you advanced of having a specific group and even suggested auditing.

    Just trying to be sure if you added something that was not already suggested.
    LVL 34

    Expert Comment


    What I have suggested is exact \ specific answer the author is looking for I think.

    The articles you referred are talking about DnsAdmins group, also if you look at my comment, I am talking about the *server* level permissions and not zone level permissions, infact simply adding zone level permissions won't let user to connect to dns management console. Adding permissions to server level is important here.

    The important fact here is, just adding group on DNS server level automatically grant default read permissions. and No need to provide *relevant* permissions on zone level like you said in your comment
    The default read permission will take care of adding and deleting records for respective users

    If author thinks that there is no difference between both comments and if he got what he need from your comment, he will grant you full points, i don't have any issues for that.

    Author Comment

    Thanks everyone for your help... I created the security group, added a test account.  I added the group as suggested to DNS > properties > security and  confirmed it only gives read only.  I then was able to access DNS via MMC > DNS.  Tested creating a record and worked, Deleted the record successfully.  I tried to delete other records and received access denied which is as described and what I needed.  I then tried to create a forwarder and it appears to almost let you > it allows you to actually add the forwarder but as soon as you hit apply -- access denied.

    Works perfect... thanks everyone,

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now