I have a requirement to allow one team of users to create records within a single DNS zone and edit those records they create as necessary. My understanding, based on testing in my lab, is that the 'Authenticated Users' group is present by default in each DNS zone. This group has the 'Create all child objects' right, which in turn gives it modify and delete rights to any subsequent records it creates.
(I expect that the reason for Authenticated Users to be present is so that all computers can register and update their own DNS records in a zone that uses dynamic DNS.)
However, I also understand that the entire DNS hierarchy within dnsmgmt cannot be seen by a user unless the 'read' permission is given at the root ('MicrosoftDNS') level. Therefore they cannot, as a user, create entries in any DNS zone without being able to traverse the DNS zone hierarchy.
Based on this I have two questions in regards to giving the above rights to one zone only:
1. Is there any reason, other than in order to enable dynamic DNS updates, for the 'Authenticated Users' group to be present on the ACL in any DNS zone? In other words, can I safely remove this entry from all zones which only contain static records and do not require dynamic DNS updates?
2. For the remaining zones, is my proposed solution (give the proposed admin group 'read' rights at the root (MicrosoftDNS) level, remove 'Authenticated Users' from all non-DDNS zones, give the proposed admin group 'Create all child objects' rights on the zone in which they require access) a viable option to allow them to make changes in that zone only?
Thanks in advance.