Allow a Non-Administrator User to Create and Modify Records in DNS on a Limited Basis

Achmad Fathur Rizki 1 Reputation point

I am a beginner in using Windows Server. Is there a way to allow a non-administrator user to create and modify records in DNS on a limited basis? However, the DNSAdmins group will give the user the ability to perform all tasks on the DNS server. I only want them to be able to create new records, modify existing records, and can’t delete existing records.

What I have done is:

  1. Create a new security group named "DNSAdminLimited".
  2. Add that new user (non-admin) to the new group.
  3. In the DNS Manager, grant permission on MicrosoftDNS which allows everything other than “delete all child objects” to the new group. Then, choose “applies to this object and all descendant object.”

After I tried the method above, non-admin user can create DNS records but can also delete them. Is there any solution to my problem above? Thank you.

(Note: non-admin user create a DNS record via the command prompt (dnscmd.exe) because they cannot access MMC to access DNS Manager)

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,395 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,962 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,023 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 32,596 Reputation points


    You can try 2 options to block the deletion permission:

    • Go to DNS zone properties , then security tab where you can check deny for delete permission:

    You can on security tab go to advanced and uncheck the delete permission:

    You can see attached images.


    Please don't forget to mark helpful reply as answer [2]: /api/attachments/61539-image.png?platform=QnA

    0 comments No comments

  2. Achmad Fathur Rizki 1 Reputation point

    Thanks for your answer.

    I've tried it and it turns out that non-admin users are still able to delete A records in DNS. Here I attached some configurations that I did and the results I got.

    Do you know why this happened?

    0 comments No comments

  3. Sunny Qi 10,896 Reputation points Microsoft Vendor

    Hi @Achmad Fathur Rizki ,

    Thanks for posting in Q&A platform.

    Based on provided screenshot of zone deny permission advanced, for Applies to Option, please configure to This object and all descendant objects to see if this Group can still delete the resource record in DNS.


    Best Regards,


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  4. Achmad Fathur Rizki 1 Reputation point

    Thanks for your answer,

    I’ve tried the method above but it still failed. Here I attached the screenshots below.

    Besides that, I also read an article related to DNS at the following url:

    From the results of the forum above, can it be concluded that what I want cannot be done?

  5. Nathan Shaw 1 Reputation point

    In your step 3, choose 'Apply to descendant objects only'. To check this has given correct permissions, you can look at the permissions on a DNS record - you will see this new permission showing as inherited.

    Please note also, if following the method above, the permission to exclude is 'delete' (rather than delete all child objects').

    Also consider that modify is just as destructive as delete, and depending on your use case you might actually need delete.

    0 comments No comments