Modify Security for a Resource Record

Applies To: Windows Server 2008

You can use this procedure to modify the security for a resource record and control who can update or remove a resource record in a directory-integrated zone. Resource records stored in a conventional zone file cannot be individually secured.

You can complete this procedure using either the DNS Manager snap-in or the dnscmd command-line tool.

The following table lists the default group or user names and permissions for Domain Name System (DNS) resource records that are stored in Active Directory Domain Services (AD DS).

Group or user names Permissions

Administrators

Allow: Read, Write, Create All Child objects, Special Permissions

Authenticated Users

Allow: Create All Child objects

Creator Owner

Special Permissions

DnsAdmins

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions

Domain Admins

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

Enterprise Admins

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

Enterprise Domain Controllers

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions

Everyone

Allow: Read, Special Permissions

Pre-Windows 2000 Compatible Access

Allow: Special Permissions

System

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

Membership in DnsAdmins or Domain Admins in AD DS, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To modify security for a resource record

  1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  2. In the console tree, click the applicable zone.

  3. In the details pane, click the record that you want to view.

  4. On the Action menu, click Properties.

  5. On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable record and reset their permissions as needed.

Additional considerations

  • These security settings do not affect who may administer the zone where these resource records are located. For information about the security settings that affect who may administer a zone, see "Additional references."

  • Resource records with the same name share the same resource record security settings. The names of resource records are listed in the Name column of DNS Manager.

Additional references