Creating a DNS role assignment

Creating a DNS role assignment

By Centrify ‎12-27-2018 01:44 PM

Using the Centrify Access Manager console, you will need to create two Windows Right Definitions:


1. A Network Access right.

2. A Windows Application right.


1) To create the Network Access right, navigate to the zone where you want the rights to exist and expand Authorization > Windows Right Definitions > Network Access


2) Right-click and choose ‘New Network Access’





3) On the General tab give it a name such as DNS Access and a description that helps you remember what its for.


4) On the Access tab, choose the radio button for “Self with added group privileges” and click Add AD groups and browse to the DnsAdmins group. Here is what it should look like:






5) To create the Windows Application right, navigate to Authorization > Windows Right Definitions > Applications. Right-click and choose ‘New Windows Application right’






6) On the General tab give it a name and description


7) On the Match Criteria Tab, click "Add"

              a) Choose .msc as the File Type

              b) Place a check next to Path and put the full name of the DNS tool (dnsmgmt.msc)

              c) Enable Standard system path


8) Place a check next to "Arguments" and place the path to the DNS tool (C:\windows\system32\dnsmgmt.msc)


9) Place a check next to "Require to match whole string"


It should look like this:





10) On the "Run As" tab, choose 'self with added group privileges' and click 'Add AD group' and add the DnsAdmins group.






11) The next step will be to create a Role Definition that will use both the rights we created above.

Expand Authorization > Role Definitions > Right-click –> Add Role




12) Give the role a name


The System Rights, Audit, and Custom Attributes tabs can remain unchanged. Click Apply, then OK




13) Right-click the role that was just created and choose "Add Right" and add the DNS Network Right and the DNS Application right. It should look something like this:


(Notice that it contains the Network access right and Windows application right)







You can now assign this role to the users or groups that need to access the DNS console. A benefit of this setup is that the user will not need to use an admin desktop or have to login to the DNS server directly.



To use the right, hold the shift key, then right-click on the dnsmgmt icon and choose “Run with Privilege..” (For this example, a shortcut to the DNS icon was placed in the start menu for easier access)






Then choose the DNS role that was created:








You should now see the DNS Manager console running. If you see a red circle anywhere here, it means the user does not have administrator level access. Please review the steps above if this occurs.






A few other notes:



1. The DNS server must be running the CDC Windows Agent version 3.3.0 or higher


2. The role must be assigned at the zone level or must be assigned on both the DNS server and the computer the user is using to connect to DNS.

Showing results for 
Search instead for 
Do you mean 

Community Control Panel