Modify Security for a Resource Record
Applies To: Windows Server 2008
You can use this procedure to modify the security for a resource record and control who can update or remove a resource record in a directory-integrated zone. Resource records stored in a conventional zone file cannot be individually secured.
You can complete this procedure using either the DNS Manager snap-in or the dnscmd command-line tool.
The following table lists the default group or user names and permissions for Domain Name System (DNS) resource records that are stored in Active Directory Domain Services (AD DS).
| Group or user names | Permissions |
|---|---|
Administrators |
Allow: Read, Write, Create All Child objects, Special Permissions |
Authenticated Users |
Allow: Create All Child objects |
Creator Owner |
Special Permissions |
DnsAdmins |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions |
Domain Admins |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects |
Enterprise Admins |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects |
Enterprise Domain Controllers |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions |
Everyone |
Allow: Read, Special Permissions |
Pre-Windows 2000 Compatible Access |
Allow: Special Permissions |
System |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects |
Membership in DnsAdmins or Domain Admins in AD DS, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To modify security for a resource record
Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
In the console tree, click the applicable zone.
In the details pane, click the record that you want to view.
On the Action menu, click Properties.
On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable record and reset their permissions as needed.
Additional considerations
These security settings do not affect who may administer the zone where these resource records are located. For information about the security settings that affect who may administer a zone, see "Additional references."
Resource records with the same name share the same resource record security settings. The names of resource records are listed in the Name column of DNS Manager.