Configure Role Based Access Control for IPAM on Windows Server 2016

Posted: January 16, 2017 in Windows Server

With Role based access control we configure detailed control over what task users can perform in IPAM

Built-in IPAM roles:


Type Name Description
Role DNS record administrator Manages DNS resource records
Role IP address record administrator Manages IP addresses but not IP address spaces, ranges, blocks, or subnets.
Role IPAM administrator Manages all settings and objects in IPAM
Role IPAM ASM administrator Completely manages IP addresses
Role IPAM DHCP administrator Completely manages DHCP servers
Role IPAM DHCP reservations administrator Manages DHCP reservations
Role IPAM DHCP scope administrator Manages DHCP scopes
Role IPAM MSM administrator Completely manages DHCP and DNS servers
Access scope Global By default, all objects in IPAM are included in the global access scope. All additional scopes that are configured are subsets of the global access


Adding custom role

sometimes,built-in roles won’t meet our requirements,in that case we can create custom role.

Click Access Control-Right click Roles-Add user role



Enter role name and define what action can be done within that role,in this example user can create zone and invoke zone transfer and configure preferred DNS server.




Creating Access policy

Now map user to IPAM role:

Right click Access Policies-Add access policy




Click Add-select domain and add user (in my example this user is standard domain user with no specific privileges)



In Access Settings click new and choose role



Click Add settings




Optionally,we can specify Access Scope.

An access scope determines the objects that a user has access to. You can use access scopes to define administrative domains in IPAM. For example, you might create access scopes based on geographical location. By default, IPAM includes an access scope of Global. All other access scopes are subsets of the Global access scope. Users or groups that are assigned to the Global access scope have access to all objects in IPAM that are permitted by their assigned role.

In this example i didn’t create any access scope


Log in to IMAP server with user,according to role setting,user can create DNS zone,but can’t delete it





  1. Vas says:

    Excellent! and to the point. Thank you


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s