I want to share with you today a simple Powershell script to show you how to play with ACL on an Active Directory object. In this example, I will update the ACL of a DNS record on an Active Directory DNS server.
The security on a Microsoft DNS record is set in a specific Active Directory partition : CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local
You can access and browse this partition using ADSIedit management console. The purpose of the script below is to add the full control permission to a computer object on his own DNS record.
$computer = Get-ADcomputer "computername" #OUTPUT CURRENT ACL Get-Acl "AD:\DC=computername,DC=domain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local" | Format-List $acl_var = Get-Acl "AD:\DC=computername,DC=domain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local" #GET SID $s = New-Object System.Security.Principal.SecurityIdentifier (Get-ADComputer -Server "domain.local" $computer).SID #CREATE ACCESS RULE - FULL CONTROL $acl_var.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"GenericAll","ALLOW",([GUID]("00000000-0000-0000-0000-000000000000")).guid,"All",([GUID]("00000000-0000-0000-0000-000000000000")).guid)) #APPLY THE ACL ON THE OBJECT Set-Acl "AD:\DC=computername,DC=domain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local" $acl_var #OUTPUT MODIFIED ACL Get-Acl "AD:\DC=computername,DC=domain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local" | Format-List
I will show you tomorrow more about ACL and how to play with it in the Active Directory
The Get-Acl cmdlet gets objects that represent the security descriptor of a file or resource. The security descriptor contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user groups have to access the resource.
Beginning in Windows PowerShell 3.0, you can use the InputObject parameter of Get-Acl to get the security descriptor of objects that do not have a path.
Parameter Set: ByPath Get-Acl [[-Path]
] [-AllCentralAccessPolicies] [-Audit] [-Exclude ] [-Filter ] [-Include ] [-UseTransaction] [ ] Parameter Set: ByInputObject Get-Acl -InputObject [-AllCentralAccessPolicies] [-Audit] [-Exclude ] [-Filter ] [-Include ] [-UseTransaction] [ ] Parameter Set: ByLiteralPath Get-Acl [-AllCentralAccessPolicies] [-Audit] [-Exclude ] [-Filter ] [-Include ] [-LiteralPath ] [-UseTransaction] [ ]
By default, Get-Acl displays the Windows PowerShell path to the resource (
When you format the result as a list, (“Get-Acl | Format-List”), in addition to the path, owner, and access list, Windows PowerShell displays the following properties and property values:
— Group: The security group of the owner.
— Audit: A list (array) of entries in the system access control list (SACL). The SACL specifies the types of access attempts for which Windows generates audit records.
— Sddl: The security descriptor of the resource displayed in a single text string in Security Descriptor Definition Language format. Windows PowerShell uses the GetSddlForm method of security descriptors to get this data.
Because Get-Acl is supported by the file system and registry providers, you can use Get-Acl to view the ACL of file system objects, such as files and directories, and registry objects, such as registry keys and entries.
My Powershell script categories
- Active Directory
- Files and folders
- Operating System
- Service and process
4 thoughts on “Update ACL on a Microsoft DNS Active Directory record”
This is a great script. Thanks, I’ve tested it in my lab and works. Just a few questions, though: what’s the purpose of those dummy GUID values in the “Create Access Rule” section? I’ve run the script without them and it seems to work just fine.
Also, I’m trying to set permissions for “Modifiy” only, not full control. I’ve managed to achieve this in two lines:
$acl_var.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,”GenericWrite”,”ALLOW”))
$acl_var.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,”GenericRead”,”ALLOW”))
But haven’t figured out how to do it in just one line. Is that possible, or do we just have to keep adding individual permissions like I’ve done, line by line.
Setting ACL permissions involves some of the most byzantine constructs I deal with as a sysadmin, and I pretty much always have to just scour the internet to see how someone else has done it.
The GUID is translated to “All”. It has been used for example in the script convert-SchemaGUID you can find here. Regarding the modify right, you are doing in the right way. All the available members for ActiveDirectoryRights are described here
Hi, I know this is an old post, but i wonder.
Can you also change the ACL to be the same as another dns record?
Or also change the inherited rights and change one entry from full control to read only?
I tried to fiddle a bit with set-acl and reading from another record, but than it comes up with errors about ownership etc….
( for a group of static entry’s I don’t want the DHCP server to be able to change the A-record, in case anybody creates a device with the same hostname and asks for a DHCP lease)