The following Domain Name System (DNS) resource record configuration options have security implications for resource records that are stored in both standard DNS zones and Active Directory–integrated DNS zones:
Manage the DACL on DNS resource records that are stored in Active Directory Domain Services
You can use the discretionary access control list (DACL) to control the permissions for the Active Directory users and groups that may control the DNS resource records. For more information, see Modify Security for a Resource Record.
The following table lists the default group or user names and permissions for DNS resource records that are stored in Active Directory Domain Services (AD DS).
Group or user names | Permissions |
---|---|
Administrators |
Allow: Read, Write, Create All Child objects, Special Permissions |
Authenticated Users |
Allow: Create All Child objects |
Creator Owner |
Special Permissions |
DnsAdmins |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions |
Domain Admins |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects |
Enterprise Admins |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects |
Enterprise Domain Controllers |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions |
Everyone |
Allow: Read, Special Permissions |
Pre-Windows 2000 Compatible Access |
Allow: Special Permissions |
System |
Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects |
For more information, see Security Information for DNS.