DNS Admin Permission Denied

Hello All,

I have set something up to create and delete DNS records. I have a specific user doing both actions. The user in question has DNS Admin rights in Active Directory. I am performing all actions via powershell, the creation of DNS records A, PTR works exactly as expected with this user. When the user goes to remove the records the PTR record is delete correctly; however, the “A” record is not deleted and the error generated is:

  • CategoryInfo : PermissionDenied: (GoodDeal3:root/Microsoft/…rResourceRecord) [Remove-DnsServerResourceRecord], CimException

  • FullyQualifiedErrorId : WIN32 5,Remove-DnsServerResourceRecord

If the user tries to delete the record via the DNS GUI (RSAT tool) there is no issue.

So my question is has anyone else ran into this issue, and if so how did you resolve it.



I’m pretty sure the DNS commands are using CIM (WMI) under the hood; there may be something in the WMI repository on the server that’s not set right. The GUI tools don’t use CIM, so they don’t encounter any extra security that layer may be putting in.

Thanks for the fast reply Don.

The command I was using is as follows:

Remove-DnsServerResourceRecord -Name $DNSName -RRType A -ZoneName $ZoneName -ComputerName $DNSServer -Force


The above command works exactly as expected if I run it as domain admin, I found in order to get it to run with the delegated DNS Admin permissions I need to modify the command to be like the following:

Remove-DnsServerResourceRecord -Name $DNSName -RRType A -ZoneName $ZoneName -ComputerName $DNSServer -RecordData $ip -Force


The difference is the -RecordData parameter. I think I have the issue solved with this change. Thanks to everyone who looked at my issue.




Good for you in reaching you success.

I wanted to add this to your efforts, prior to you arriving at where you are now, but it still may be useful to you in future efforts, or others reading this later.

How To Find And Add DNS Record Permissions With PowerShell http://www.tomsitpro.com/articles/powershell-dns-record-permissions,2-930.html
$DomainName = 'domain.com'
$AdIntegrationType = 'Domain'

$DomainDn = (Get-AdDomain).DistinguishedName
$Sid = (Get-ADUser abertram -Properties ObjectSID).ObjectSID.Value
$AccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Sid, 'Modify', 'Allow')

Get-ChildItem "AD:DC=$DomainName,CN=MicrosoftDNS,DC=$AdIntegrationType`DnsZones,$DomainDn" |
foreach {
           $Acl = Get-Acl -Path

           Set-Acl -Path

          "ActiveDirectory:://RootDSE/$($_.DistinguishedName)" -AclObject $Acl