DndAdmins

[Laz]

Server 2003, DNS running on the DC.

I have added users to the DnsAdmins group but they are unable to
create records.

Security on the Server in the DNS Management tool indicates the group
is present at the server.

Security on the forward lookup zone doesn’t have it. We did a base
DC / DNS install in a workshop recently and it was configured just
like this.

Laz

 

[Laz]

Server 2003, DNS running on the DC.

I have added users to the DnsAdmins group but they are unable
to create records.

Security on the Server in the DNS Management tool indicates
the group is present at the server.

Security on the forward lookup zone doesn't have it. We did a
base DC / DNS install in a workshop recently and it was
configured just like this.

Laz

Correction. The users can add and delete records they create but
cannot administer other DNS records.

 

[Jorge_de_Almeida_Pinto]

Correction. The users can add and delete records they create
but cannot administer other DNS records.

Well the DNS Admins group can by default administer the DNS server
itself but not the zones. The reason they can create and delete (own
records) is that authenticated users have permissions to create child
objects (in other words dns records in the zone) and they can delete
the records they are owner of. They cannot delete the records they are
not an owner of. Be very carefull with allowing users deleting DNS
records. If it is and AD-I zone for AD then that zone containts also
records for your DCs and other servers. If they screw up by deleting
the records they not have, you may have a problem. I would not give
permissions to my users to delete dns records they do not own!