DNS Admin Permission Denied

Welcome Forums General PowerShell Q&A DNS Admin Permission Denied

This topic contains 3 replies, has 3 voices, and was last updated by

7 months, 2 weeks ago.

  • Author
  • #108400

    Points: 1
    Rank: Member

    Hello All,

    I have set something up to create and delete DNS records. I have a specific user doing both actions. The user in question has DNS Admin rights in Active Directory. I am performing all actions via powershell, the creation of DNS records A, PTR works exactly as expected with this user. When the user goes to remove the records the PTR record is delete correctly; however, the "A" record is not deleted and the error generated is:

    + CategoryInfo          : PermissionDenied: (GoodDeal3:root/Microsoft/...rResourceRecord) [Remove-DnsServerResourceRecord], CimException

    + FullyQualifiedErrorId : WIN32 5,Remove-DnsServerResourceRecord

    If the user tries to delete the record via the DNS GUI  (RSAT tool) there is no issue.

    So my question is has anyone else ran into this issue, and if so how did you resolve it.



  • #108401

    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    I'm pretty sure the DNS commands are using CIM (WMI) under the hood; there may be something in the WMI repository on the server that's not set right. The GUI tools don't use CIM, so they don't encounter any extra security that layer may be putting in.

  • #108409

    Points: 1
    Rank: Member

    Thanks for the fast reply Don.

    The command I was using is as follows:

    Remove-DnsServerResourceRecord -Name $DNSName -RRType A -ZoneName $ZoneName -ComputerName $DNSServer -Force


    The above command works exactly as expected if I run it as domain admin, I found in order to get it to run with the delegated DNS Admin permissions I need to modify the command to be like the following:

    Remove-DnsServerResourceRecord -Name $DNSName -RRType A -ZoneName $ZoneName -ComputerName $DNSServer  -RecordData $ip -Force


    The difference is the -RecordData parameter. I think I have the issue solved with this change. Thanks to everyone who looked at my issue.




  • #108419

    Points: 1,150
    Helping Hand
    Rank: Community Hero

    Good for you in reaching you success.

    I wanted to add this to your efforts, prior to you arriving at where you are now, but it still may be useful to you in future efforts, or others reading this later.

    How To Find And Add DNS Record Permissions With PowerShell

    $DomainName = 'domain.com'
    $AdIntegrationType = 'Domain'
    $DomainDn = (Get-AdDomain).DistinguishedName
    $Sid = (Get-ADUser abertram -Properties ObjectSID).ObjectSID.Value
    $AccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Sid, 'Modify', 'Allow')
    Get-ChildItem "AD:DC=$DomainName,CN=MicrosoftDNS,DC=$AdIntegrationType`DnsZones,$DomainDn" |
    foreach {
               $Acl = Get-Acl -Path
               Set-Acl -Path
              "ActiveDirectory:://RootDSE/$($_.DistinguishedName)" -AclObject $Acl

The topic ‘DNS Admin Permission Denied’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort