Grant permission to user account to create /delete/modify DNS entries in a specific dns zone

 Hello Friends, Hope everyone is doing well.

Let's start the topic.  My client approached me to create an user id and grant him permission on particular DNS resources records/ Particular zone to modify /create/delete dns records. But he came with below conditions.

1) We will not add user in domain admin group.

2) We will not add user in dnsadmin group.

4)User should have modify /create/delete rights only on a particular zone.

Below are the settings worked for me:-

1) Created an user in DC.

2) Grant read access on the dns server (Properties->Security) and grant special permission on the DNS zone (Write all properties, create all child objects and delete all child objects).

3) Grant all deny access on all other zones.

Please refer the screenshots below for better understanding

Read permission on DNS server

Special permission on zone Fruit.com (User will create/modify records only under this zone). I granted permission to user on blossom.com zone and denied permission on all other zones.

Deny permission on all other zones (Showing fruit.com as sample)

Please comment if you have any other doubts. If you get benefited then give me a thumbs up.

Take care and stay safe. See you soon in next blog.