Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 661
  • Last Modified:

Creating a group of DNS users (allow creating of records but nothing else)

I would like to create a group in AD that allows a particular set of users to create records in DNS but not delete or change anything else such as forwarders, etc... they would only have access to create a record.

Is this possible?

  • 2
  • 2
1 Solution
Here is a link to the specific permissions and default groups for DNS updates:

You can also take a look at the link below on steps to change DNS permissions:

I would simply in your case create a new group and assign the relevant permissions, users in that group should be able to write and delete the records they create but no other records in the zone.

You may also want to look into auditing zone / record deletion:
This is possible.
All you need to do,
Create one global security group in domain
Add all required users in this group
Go to dns management console on any one DC, and go to dns server properties\security tab
add above group there, the default Read permission will be set automatically and that's all
Now you can access dns management console from any workstation with RSAT with delegated user logon or directly logon to DC with delegated users, they will be able to add resource records, CNAME records, PTR records and will get permissions to delete only those records which they have created
They can't delete other records created by other admins \ delegated users
Infact they can't change any other server configuration

Note that do not add above group to any high privilege group such as dns admins etc
Mahesh can you tell me what you said in your post that I did not ?

I think I indicated permissions and default roles the same idea you advanced of having a specific group and even suggested auditing.

Just trying to be sure if you added something that was not already suggested.

What I have suggested is exact \ specific answer the author is looking for I think.

The articles you referred are talking about DnsAdmins group, also if you look at my comment, I am talking about the *server* level permissions and not zone level permissions, infact simply adding zone level permissions won't let user to connect to dns management console. Adding permissions to server level is important here.

The important fact here is, just adding group on DNS server level automatically grant default read permissions. and No need to provide *relevant* permissions on zone level like you said in your comment
The default read permission will take care of adding and deleting records for respective users

If author thinks that there is no difference between both comments and if he got what he need from your comment, he will grant you full points, i don't have any issues for that.
rssystemsAuthor Commented:
Thanks everyone for your help... I created the security group, added a test account.  I added the group as suggested to DNS > properties > security and  confirmed it only gives read only.  I then was able to access DNS via MMC > DNS.  Tested creating a record and worked, Deleted the record successfully.  I tried to delete other records and received access denied which is as described and what I needed.  I then tried to create a forwarder and it appears to almost let you > it allows you to actually add the forwarder but as soon as you hit apply -- access denied.

Works perfect... thanks everyone,

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now