I would like to be able to allow a specific user to delete DNS records from my Active Directory-integrated DNS zones.
One zone is replicated to all DNS servers on DCs in the domain (so in DomainDnsZones).
Another zone is replicated to all domain controllers in the domain (so in CN=System,CN=MicrosoftDNS,DC= in the domain).
The reverse lookup zones are replicated to all DNS servers in the forests (so in ForestDNSZones).
I've tried adding Delete
on All descendant objects
to the zone in DomainDnsZones and the appropriate reverse lookup zone in ForestDNSZones. For example, using Get-Acl
on the DomainDnsZone shows (for the specified account):
ActiveDirectoryRights : Delete
AccessControlType : Allow
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
InheritanceType : Descendents
but I get ACCESS DENIED when I try to delete a sample record using DNSCMD
.
Why isn't this sifficient? What else do I need to do?
Best Answer
It's amazing that this information is so difficult to find. I wasn't able to find a single resource that effectively explained this, but I needed to delegate the deletion of records to a service account and I wanted to do so with the least privilege. After much trial and error, I came up with this, applied to the zone itself (this fit my needs, you may need to bring it up a level in ADSI Edit):
Delete
andWrite all properties
Applied to:All descendant objects
You likely need
Read
if it isn't already granted through some other membership.I specifically did not need
Delete all child objects
on the parent; this seemed to do nothing.