DNS Admin Permission Denied

Welcome Forums General PowerShell Q&A DNS Admin Permission Denied

This topic contains 3 replies, has 3 voices, and was last updated by

 
Participant
4 months ago.

  • Author
    Posts
  • #108400

    Participant
    Points: 1
    Rank: Member

    Hello All,

    I have set something up to create and delete DNS records. I have a specific user doing both actions. The user in question has DNS Admin rights in Active Directory. I am performing all actions via powershell, the creation of DNS records A, PTR works exactly as expected with this user. When the user goes to remove the records the PTR record is delete correctly; however, the "A" record is not deleted and the error generated is:

    + CategoryInfo          : PermissionDenied: (GoodDeal3:root/Microsoft/...rResourceRecord) [Remove-DnsServerResourceRecord], CimException

    + FullyQualifiedErrorId : WIN32 5,Remove-DnsServerResourceRecord

    If the user tries to delete the record via the DNS GUI  (RSAT tool) there is no issue.

    So my question is has anyone else ran into this issue, and if so how did you resolve it.

    Thanks,

    Scott

  • #108401

    Keymaster
    Points: 1,704
    Helping HandTeam Member
    Rank: Community Hero

    I'm pretty sure the DNS commands are using CIM (WMI) under the hood; there may be something in the WMI repository on the server that's not set right. The GUI tools don't use CIM, so they don't encounter any extra security that layer may be putting in.

  • #108409

    Participant
    Points: 1
    Rank: Member

    Thanks for the fast reply Don.

    The command I was using is as follows:

    Remove-DnsServerResourceRecord -Name $DNSName -RRType A -ZoneName $ZoneName -ComputerName $DNSServer -Force

     

    The above command works exactly as expected if I run it as domain admin, I found in order to get it to run with the delegated DNS Admin permissions I need to modify the command to be like the following:

    Remove-DnsServerResourceRecord -Name $DNSName -RRType A -ZoneName $ZoneName -ComputerName $DNSServer  -RecordData $ip -Force

     

    The difference is the -RecordData parameter. I think I have the issue solved with this change. Thanks to everyone who looked at my issue.

    Thanks,

    Scott

     

  • #108419

    Participant
    Points: 332
    Helping Hand
    Rank: Contributor

    Good for you in reaching you success.

    I wanted to add this to your efforts, prior to you arriving at where you are now, but it still may be useful to you in future efforts, or others reading this later.

    How To Find And Add DNS Record Permissions With PowerShell
    http://www.tomsitpro.com/articles/powershell-dns-record-permissions,2-930.html

    $DomainName = 'domain.com'
    $AdIntegrationType = 'Domain'
    
    $DomainDn = (Get-AdDomain).DistinguishedName
    $Sid = (Get-ADUser abertram -Properties ObjectSID).ObjectSID.Value
    $AccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Sid, 'Modify', 'Allow')
    
    Get-ChildItem "AD:DC=$DomainName,CN=MicrosoftDNS,DC=$AdIntegrationType`DnsZones,$DomainDn" |
    foreach {
               $Acl = Get-Acl -Path
    
               "ActiveDirectory:://RootDSE/$($_.DistinguishedName)"
               $Acl.AddAccessRule($AccessRule)
               Set-Acl -Path
    
              "ActiveDirectory:://RootDSE/$($_.DistinguishedName)" -AclObject $Acl
            }

The topic ‘DNS Admin Permission Denied’ is closed to new replies.