Update ACL on a Microsoft DNS Active Directory record

Update ACL on a Microsoft DNS Active Directory record

I want to share with you today a simple Powershell script to show you how to play with ACL on an Active Directory object. In this example, I will update the ACL of a DNS record on an Active Directory DNS server.

The security on a Microsoft DNS record is set in a specific Active Directory partition : CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local

You can access and browse this partition using ADSIedit management console. The purpose of the script below is to add the full control permission to a computer object on his own DNS record.

I will show you tomorrow more about ACL and how to play with it in the Active Directory


Get-acl
The Get-Acl cmdlet gets objects that represent the security descriptor of a file or resource. The security descriptor contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user groups have to access the resource.
Beginning in Windows PowerShell 3.0, you can use the InputObject parameter of Get-Acl to get the security descriptor of objects that do not have a path.

Syntax

Notes
By default, Get-Acl displays the Windows PowerShell path to the resource (::), the owner of the resource, and “Access”, a list (array) of the access control entries in the discretionary access control list (DACL) for the resource. The DACL list is controlled by the resource owner.
When you format the result as a list, (“Get-Acl | Format-List”), in addition to the path, owner, and access list, Windows PowerShell displays the following properties and property values:
— Group: The security group of the owner.
— Audit: A list (array) of entries in the system access control list (SACL). The SACL specifies the types of access attempts for which Windows generates audit records.
— Sddl: The security descriptor of the resource displayed in a single text string in Security Descriptor Definition Language format. Windows PowerShell uses the GetSddlForm method of security descriptors to get this data.
Because Get-Acl is supported by the file system and registry providers, you can use Get-Acl to view the ACL of file system objects, such as files and directories, and registry objects, such as registry keys and entries.

<>

My Powershell script categories

2 thoughts on “Update ACL on a Microsoft DNS Active Directory record

  • January 13, 2017 at 19:48
    Permalink

    This is a great script. Thanks, I’ve tested it in my lab and works. Just a few questions, though: what’s the purpose of those dummy GUID values in the “Create Access Rule” section? I’ve run the script without them and it seems to work just fine.

    Also, I’m trying to set permissions for “Modifiy” only, not full control. I’ve managed to achieve this in two lines:

    $acl_var.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,”GenericWrite”,”ALLOW”))
    $acl_var.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,”GenericRead”,”ALLOW”))

    But haven’t figured out how to do it in just one line. Is that possible, or do we just have to keep adding individual permissions like I’ve done, line by line.

    Setting ACL permissions involves some of the most byzantine constructs I deal with as a sysadmin, and I pretty much always have to just scour the internet to see how someone else has done it.

    Reply
    • January 30, 2017 at 15:32
      Permalink

      Hello Dave,

      The GUID is translated to “All”. It has been used for example in the script convert-SchemaGUID you can find here. Regarding the modify right, you are doing in the right way. All the available members for ActiveDirectoryRights are described here

      Regards

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Social Media Auto Publish Powered By : XYZScripts.com
%d bloggers like this: