File System Permissions for Windows Service Account

Olaf Lautenschlaeger ol at
Mon Sep 25 07:54:11 UTC 2006

On Sunday, September 24, 2006 9:02 PM [GMT+1=CET],
Will <DELETE_westes at> wrote:

> In BIND 9.3 under Windows, what NTFS file system permissions does the
> service account need to run correctly?

I just found out that the default permissions
from installation didn't make too much sense.

It turned out that the following will work well:
(presumed having
 options {
   directory "C:/WinNT/system32/dns"; ...
in named.conf)

for the base dir above (no inheritance,
remove User/Power user group etc.):
- group Administrators: full access
- user named: full access
- SYSTEM: Read/Execute, List folders, Read
- CREATOR-OWNER: special: full rights for sub-folders and files only

You'll probably notice that temp files are written here.
(I've been running into trouble especially with this).

inherit the above (have no TSIG key files residing

- Administrators: full access
- named: full access
- CREATOR-OWNER: special: full access for sub-folders and files only

(all naming is back-translated from my german win2k)

Someone will probably contradict or, even better, point
to a more subtle rights allocation.

Olaf Lautenschlaeger
ANOVA Multimedia Studios GmbH, Rostock

More information about the bind-users mailing list