Configure the Discretionary Access Control List (DACL)

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Configure discretionary access control lists (DACLs) to manage permission settings for DNS zones that are stored in Active Directory. Use DACLs to enable only certain users or groups to create, delete, and change zone data. For information about default DACL settings, see Securing DNS Zones (


You cannot use DACLs to manage zones that are not stored in Active Directory.

Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To configure the DACL for an Active Directory–integrated zone

  1. Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

  2. In the console tree, click the name of the DNS server you wish to configure.

  3. In the console tree, open Forward Lookup Zones or Reverse Lookup Zones, and then click the name of the zone you wish to configure.

  4. On the Action menu, click Properties.

  5. On the General tab, verify that the zone type is Active Directory-Integrated.

  6. On the Security tab, under Group or user names, modify the list of users or groups that have permissions specified for the zone.

  7. On the Security tab, modify the list of users and groups with special permission settings for this zone, and then specify the permissions that are allowed or denied.

See Also


Configure AD Integrated Zones
Checklist: Implementing a Secure DNS Configuration