question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked ·

Permission to create A/PTR DNS records only

Hi, I want to delegate permission to our VMware team to create new A/PTR records (usually when they add new appliances). How granular can I go with this (ideally) without giving them more permissions than they really need? I see authenticated users group has permission to create all child objects in DNS zone - this allows dynamic updates to work properly I guess. Does it mean than any user (by being member of authenticated users group) can create A/PTR records in given DNS zone?

windows-dhcp-dns
· 1
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image SunnyQi-MSFT ·

Hi,

Just checking in to see if the information provided was helpful.

If yes, you may accept useful reply as answer, if not, welcome to feedback.

Best Regards,
Sunny

0 Votes 0 ·

2 Answers

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered ·

Hi,

Thanks for posting in Q&A platform.

Does it mean than any user (by being member of authenticated users group) can create A/PTR records in given DNS zone?

I have tested in my lab and found that even the user is a member of authenticated group, it cannot create A/PTR records in the specific DNS zone.

The option create all child objects in DNS zone is selected default for authenticated users group. It neither related to permission to create A and PTR records in the specific DNS zone nor related to DNS dynamic update.

If the user was granted permission on server level, it will have access to create A and PTR records in the zones which hold by the DNS server.

72412-image-1.jpg

A record

72373-image-2.jpg

PTR record

72384-image-3.jpg

Dynamic Update

Dynamic update enables DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. It's a computer behavior.

For more details, please refer to Dynamic Update in the following article:

How DNS Works


Best Regards,
Sunny

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image-1.jpg (76.1 KiB)
image-2.jpg (189.1 KiB)
image-3.jpg (157.5 KiB)
·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered ·

I have just completed some tests - standard user with permissions (Read/Create All Child Objects) on forward lookup zone only was able to create A record. I do not want them access other zones but that would be implemented in GUI code with PS Studio anyways where zone name would be hard-coded.

· 1 ·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image SunnyQi-MSFT ·

Thank you very much for your feedback.

You could accept the useful reply as answer if you want to end this thread up. If there is anything else we can do for you, please feel free to post in the forum. Appreciate your understanding. :) Have a nice day!

0 Votes 0 ·