3

I would like to be able to allow a specific user to delete DNS records from my Active Directory-integrated DNS zones.

One zone is replicated to all DNS servers on DCs in the domain (so in DomainDnsZones).

Another zone is replicated to all domain controllers in the domain (so in CN=System,CN=MicrosoftDNS,DC= in the domain).

The reverse lookup zones are replicated to all DNS servers in the forests (so in ForestDNSZones).

I've tried adding Delete on All descendant objects to the zone in DomainDnsZones and the appropriate reverse lookup zone in ForestDNSZones. For example, using Get-Acl on the DomainDnsZone shows (for the specified account):

ActiveDirectoryRights : Delete
AccessControlType     : Allow
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly
InheritanceType       : Descendents

but I get ACCESS DENIED when I try to delete a sample record using DNSCMD.

Why isn't this sifficient? What else do I need to do?

user2871239
  • 175
  • 2
  • 9

1 Answers1

1

It's amazing that this information is so difficult to find. I wasn't able to find a single resource that effectively explained this, but I needed to delegate the deletion of records to a service account and I wanted to do so with the least privilege. After much trial and error, I came up with this, applied to the zone itself (this fit my needs, you may need to bring it up a level in ADSI Edit):

Delete and Write all properties Applied to: All descendant objects

You likely need Read if it isn't already granted through some other membership.

I specifically did not need Delete all child objects on the parent; this seemed to do nothing.

briantist
  • 2,535
  • 18
  • 34