The following Domain Name System (DNS) resource record configuration options have security implications for resource records that are stored in both standard DNS zones and Active Directory–integrated DNS zones:

Manage the DACL on DNS resource records that are stored in Active Directory Domain Services

You can use the discretionary access control list (DACL) to control the permissions for the Active Directory users and groups that may control the DNS resource records. For more information, see Modify Security for a Resource Record.

The following table lists the default group or user names and permissions for DNS resource records that are stored in Active Directory Domain Services (AD DS).

Group or user names Permissions

Administrators

Allow: Read, Write, Create All Child objects, Special Permissions

Authenticated Users

Allow: Create All Child objects

Creator Owner

Special Permissions

DnsAdmins

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions

Domain Admins

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

Enterprise Admins

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

Enterprise Domain Controllers

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects, Special Permissions

Everyone

Allow: Read, Special Permissions

Pre-Windows 2000 Compatible Access

Allow: Special Permissions

System

Allow: Full Control, Read, Write, Create All Child objects, Delete Child objects

For more information, see Security Information for DNS.