In this blog post I'm going to show you how to delegate Active Directory permissions to other Active Directory groups. The process of resolving the host name in this resource record to the delegated DNS server in the name server (NS) resource record is sometimes referred to as "glue chasing." To create a zone delegation, open DNS Manager, right-click the parent domain, and then click New Delegation. Here is AdFind Usage and examples. Thats maybe not what you want to achive. Using a command-line interface Get-ADGroupMember "Second Line Engineers". If you do this, the wizard creates the DNS zone delegation automatically. Click "Next.". The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. We recommend that you install DNS when you run the Active Directory Domain Services Installation Wizard (Dcpromo.exe). Do not lump users and computers into the same OU, this is a Microsoft best practice. Managing Active Directory, DNS and DHCP with Windows Admin Center The second goal is to delegate permission to change all properties of existing dHCPClass objects. Active Directory stores data as objects. Delegate AD Permissions - LedHed's Wiki Design Tip #1: Separate Users and Computers. Standard Primary zones do not have security settings other than protecting the zone file in the system32\dns folder. In the wizard select the users that you want to administration to be delegated to. Right-click on the zone and select Properties. If your DNS server is not present in Server Manager, right click "All Servers" and add the DNS server. In the Select Users, Computers, or Groups dialog, type the name of the AD group you want to give permission to reset user account passwords and click OK . AdFind Tool AdFind created by Joe Richards. Select Only the following objects in the folder option and select Computer objects. Open properties for the container: CN=NetServices,CN=Services,CN=Configuration,DC=demo,DC=secid,DC=se in the security tab choose Advanced and then Add. When you go to User Rights Assignment section in the Default Domain Controllers Policy (Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment), you can find the setting Enable computer and user accounts to be trusted for delegation. For instance, they can not create or delete AD integrated zones. Edit/Addition: How to Delegate Control on Active Directory Windows Server 2016 Active Directory DNS Permissions. Do It Right: When changing Group Policy Security Filtering, make sure you add the "Authenticated Users" group in the delegation tab and provide it with "Read" permission only.