DNS Admin Permission Denied

skeeter · August 13, 2018, 1:20pm

Hello All,

I have set something up to create and delete DNS records. I have a specific user doing both actions. The user in question has DNS Admin rights in Active Directory. I am performing all actions via powershell, the creation of DNS records A, PTR works exactly as expected with this user. When the user goes to remove the records the PTR record is delete correctly; however, the “A” record is not deleted and the error generated is:

CategoryInfo : PermissionDenied: (GoodDeal3:root/Microsoft/…rResourceRecord) [Remove-DnsServerResourceRecord], CimException
FullyQualifiedErrorId : WIN32 5,Remove-DnsServerResourceRecord

If the user tries to delete the record via the DNS GUI (RSAT tool) there is no issue.

So my question is has anyone else ran into this issue, and if so how did you resolve it.

Thanks,

Scott

donj · August 13, 2018, 1:22pm

I’m pretty sure the DNS commands are using CIM (WMI) under the hood; there may be something in the WMI repository on the server that’s not set right. The GUI tools don’t use CIM, so they don’t encounter any extra security that layer may be putting in.

skeeter · August 13, 2018, 2:05pm

Thanks for the fast reply Don.

The command I was using is as follows:

Remove-DnsServerResourceRecord -Name $DNSName -RRType A -ZoneName $ZoneName -ComputerName $DNSServer -Force

The above command works exactly as expected if I run it as domain admin, I found in order to get it to run with the delegated DNS Admin permissions I need to modify the command to be like the following:

Remove-DnsServerResourceRecord -Name $DNSName -RRType A -ZoneName $ZoneName -ComputerName $DNSServer -RecordData $ip -Force

The difference is the -RecordData parameter. I think I have the issue solved with this change. Thanks to everyone who looked at my issue.

Thanks,

Scott

postanote · August 13, 2018, 8:09pm

Good for you in reaching you success.

I wanted to add this to your efforts, prior to you arriving at where you are now, but it still may be useful to you in future efforts, or others reading this later.

How To Find And Add DNS Record Permissions With PowerShell http://www.tomsitpro.com/articles/powershell-dns-record-permissions,2-930.html

$DomainName = 'domain.com'
$AdIntegrationType = 'Domain'

$DomainDn = (Get-AdDomain).DistinguishedName
$Sid = (Get-ADUser abertram -Properties ObjectSID).ObjectSID.Value
$AccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Sid, 'Modify', 'Allow')

Get-ChildItem "AD:DC=$DomainName,CN=MicrosoftDNS,DC=$AdIntegrationType`DnsZones,$DomainDn" |
foreach {
           $Acl = Get-Acl -Path

           "ActiveDirectory:://RootDSE/$($_.DistinguishedName)"
           $Acl.AddAccessRule($AccessRule)
           Set-Acl -Path

          "ActiveDirectory:://RootDSE/$($_.DistinguishedName)" -AclObject $Acl
        }

Topic		Replies	Views
PSWA access denied errror PowerShell Help	4	93	June 8, 2015
Using DNSServer commands with elevated permissions via PSCredential PowerShell Help	0	153	June 26, 2020
cannot enable PS Remoting - Access Denied PowerShell Help	3	1017	September 25, 2018
Access is denied - PSRemoting PowerShell Help	3	132	July 31, 2016
Question about running DNSCmd.exe remotely using PSSession PowerShell Help	2	134	April 10, 2014

DNS Admin Permission Denied

Related Topics