Active Directory DDNS security delegation question

  • Thread starter Thread starter Duncan
  • Start date Start date
D

Duncan

I need to be able to delegate the deletion of records to a group in
our organization that manages servers. These users are not domain
admins. I know that there is a DNS Administrators group, but that
grants WAY too much. I looked through all of the security priciples on
the objects for the zone, but could find nothing that made sense to
me. Nothing that I could attach to allowing only record deletion.

Is there any way to do this? if not, is there some combination of
limited rights that could come close?
 
I need to be able to delegate the deletion of records to a
group in
our organization that manages servers. These users are not
domain
admins. I know that there is a DNS Administrators group, but
that
grants WAY too much. I looked through all of the security
priciples on
the objects for the zone, but could find nothing that made
sense to
me. Nothing that I could attach to allowing only record
deletion.

Is there any way to do this? if not, is there some combination
of
limited rights that could come close?
Click to expand...

also remember that if you allow to delete records problems could occur
if the wrong records are deleted.

what is the reason behind this delegating question?

do you want to remove records from servers and/or clients that do not
exist anymore? If so you might want to enable DNS SCAVENGING
look at: http://myitforum.techtarget.com/articles/16/view.asp?id=6287
 
I am using scavenging now, but mandated at intervals that do not help
with the problem we see. The reason for this is that we have server
engineers who may have to rebuild servers that they can not unjoin
from the domain for one reason or another.

I am aware that they can remove undesired records, but ddns re-created
them anyway. We have very few and tightly controlled static entries
that could be easily recreated if needed.

It is a risk that is acceptable for this group, but I do not want to
add to that risk the possibility for them to create or delete zones or
any other functions. If possible, I do not want them creating records
either.
 
Back
Top