Share via

Allow a Non-Administrator User to Create and Modify Records in DNS on a Limited Basis

Achmad Fathur Rizki 1 Reputation point
2021-01-28T09:06:37.103+00:00

I am a beginner in using Windows Server. Is there a way to allow a non-administrator user to create and modify records in DNS on a limited basis? However, the DNSAdmins group will give the user the ability to perform all tasks on the DNS server. I only want them to be able to create new records, modify existing records, and can’t delete existing records.

What I have done is:

  1. Create a new security group named "DNSAdminLimited".
  2. Add that new user (non-admin) to the new group.
  3. In the DNS Manager, grant permission on MicrosoftDNS which allows everything other than “delete all child objects” to the new group. Then, choose “applies to this object and all descendant object.”

After I tried the method above, non-admin user can create DNS records but can also delete them. Is there any solution to my problem above? Thank you.

(Note: non-admin user create a DNS record via the command prompt (dnscmd.exe) because they cannot access MMC to access DNS Manager)

Windows for business Windows Client for IT Pros Directory services Active Directory
Windows for business Windows Client for IT Pros Networking Network connectivity and file sharing
Windows for business Windows Server User experience Other
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 36,261 Reputation points Moderator
    2021-01-28T22:26:45.87+00:00

    Hi,

    You can try 2 options to block the deletion permission:

    • Go to DNS zone properties , then security tab where you can check deny for delete permission:

    You can on security tab go to advanced and uncheck the delete permission:

    You can see attached images.

    ----------

    Please don't forget to mark helpful reply as answer [2]: /api/attachments/61539-image.png?platform=QnA

    0 comments
  2. Achmad Fathur Rizki 1 Reputation point
    2021-01-29T02:18:31.377+00:00

    Thanks for your answer.

    I've tried it and it turns out that non-admin users are still able to delete A records in DNS. Here I attached some configurations that I did and the results I got.

    Do you know why this happened?

    0 comments
  3. Anonymous
    2021-01-29T06:46:12.237+00:00

    Hi @Achmad Fathur Rizki ,

    Thanks for posting in Q&A platform.

    Based on provided screenshot of zone deny permission advanced, for Applies to Option, please configure to This object and all descendant objects to see if this Group can still delete the resource record in DNS.

    61737-image-1.jpg

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. Achmad Fathur Rizki 1 Reputation point
    2021-02-01T01:43:57.94+00:00

    Thanks for your answer,

    I’ve tried the method above but it still failed. Here I attached the screenshots below.

    Besides that, I also read an article related to DNS at the following url:
    grant-user-read-access-to-dns-server

    From the results of the forum above, can it be concluded that what I want cannot be done?

  5. Nathan Shaw 1 Reputation point
    2022-05-23T19:12:03.65+00:00

    In your step 3, choose 'Apply to descendant objects only'. To check this has given correct permissions, you can look at the permissions on a DNS record - you will see this new permission showing as inherited.

    Please note also, if following the method above, the permission to exclude is 'delete' (rather than delete all child objects').

    Also consider that modify is just as destructive as delete, and depending on your use case you might actually need delete.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.