Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > IP Address Manager (IPAM) > Grant non-domain administrator account rights for IPAM DNS Monitoring

Grant non-domain administrator account rights for IPAM DNS Monitoring

Table of contents


This article describes how to use a non-administrator account when you need to poll the DNS server without an administrator account. 

The user needs to be added to the DNSAdmin group. IPAM requires the account to have Read\Write permission for DNS management so that it can write itself to the DNS server as a zone transfer server. The account itself cannot be a domain administrator account in your environment, but the DNS admin is a must for the account within IPAM.

Permissions for the IPAM user within their Orion account settings can be specified if you wish to limit them to have a read only access to the DNS portion of IPAM. Unfortunately, this limitation is based on the user in Orion, and not by the account used to poll the DNS servers, so it is advisable to use a restricted service account for the DNS server and control user rights through IPAM itself.


IPAM 3.0 or later


Use a DNS server administrator (account allowed to make changes on the DNS server) based on your network configuration to enable the account for WMI.


In Standalone DNS, it might be a local administrator (which by default is pre-configured for remote WMI access). Administrators are by default configured to make DNS server management tasks.

In an AD+DNS setup, it should be the account who has full DACL to manage the DNS Server and additionally it has to have an enabled remote WMI for management according to the steps below.


To configure DCOM Services:

  1. Start dcomcnfg.
  2. Expand Component Services\Computers, right-click on My Computer, and select Properties.
  3. Click COM Security Tab.
  4. In the Access Permissions group, click Edit Default, add your account, and Enable Local Access and Remote Access Checkboxes.
  5. In the Access permissions group, click Edit Limits, add your account, and enable Local and Remote Access.
  6. In the Launch and Activation Permissions, click Edit Defaultadd your account, and Allow all check boxes.
  7. In the Launch And Activation Permissions, click Edit Limits, add your account, and Allow all check boxes.


To configure access to the WMI Branch:

  1. Start the MMC console and add WMI Control Snap-in.
  2. Right-click snap-in and click Properties.
  3. In the Security tab, select MicrosoftDNS and CIMV2 branch, and then click the Security button.
  4. Add your account, and allow: Execute Methods, Enable Account, Remote Enable.
  5. Verify that the new user you created has DNSAdmin rights on DNS Security tab.
  6. Start dnsmgmt.msc.
  7. Right-click on Server/Service and view Properties to confirm that all the check boxes for the new user are checked.11-27-2012 10-21-06 am.png 

To test connection to a DNS Server with specific credentials, use the wbemtest tool and connect to a machine using a namespace like:
Last modified
11:13, 3 Oct 2017