Update ACL on a Microsoft DNS Active Directory record
Update ACL on a Microsoft DNS Active Directory record

I want to share with you today a simple Powershell script to show you how to play with ACL on an Active Directory object. In this example, I will update the ACL of a DNS record on an Active Directory DNS server.

The security on a Microsoft DNS record is set in a specific Active Directory partition : CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local

You can access and browse this partition using ADSIedit management console. The purpose of the script below is to add the full control permission to a computer object on his own DNS record.

$computer = Get-ADcomputer "computername"

#OUTPUT CURRENT ACL
Get-Acl "AD:\DC=computername,DC=domain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local" | Format-List

$acl_var = Get-Acl "AD:\DC=computername,DC=domain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local"

#GET SID
$s = New-Object System.Security.Principal.SecurityIdentifier (Get-ADComputer -Server "domain.local" $computer).SID

#CREATE ACCESS RULE - FULL CONTROL
$acl_var.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,"GenericAll","ALLOW",([GUID]("00000000-0000-0000-0000-000000000000")).guid,"All",([GUID]("00000000-0000-0000-0000-000000000000")).guid))

#APPLY THE ACL ON THE OBJECT
Set-Acl "AD:\DC=computername,DC=domain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local" $acl_var

#OUTPUT MODIFIED ACL
Get-Acl "AD:\DC=computername,DC=domain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local" | Format-List

I will show you tomorrow more about ACL and how to play with it in the Active Directory


Get-acl
The Get-Acl cmdlet gets objects that represent the security descriptor of a file or resource. The security descriptor contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user groups have to access the resource.
Beginning in Windows PowerShell 3.0, you can use the InputObject parameter of Get-Acl to get the security descriptor of objects that do not have a path.

Syntax

Parameter Set: ByPath
Get-Acl [[-Path]  ] [-AllCentralAccessPolicies] [-Audit] [-Exclude  ] [-Filter  ] [-Include  ] [-UseTransaction] [ ]

Parameter Set: ByInputObject
Get-Acl -InputObject  [-AllCentralAccessPolicies] [-Audit] [-Exclude  ] [-Filter  ] [-Include  ] [-UseTransaction] [ ]

Parameter Set: ByLiteralPath
Get-Acl [-AllCentralAccessPolicies] [-Audit] [-Exclude  ] [-Filter  ] [-Include  ] [-LiteralPath  ] [-UseTransaction] [ ]

Notes
By default, Get-Acl displays the Windows PowerShell path to the resource (::), the owner of the resource, and “Access”, a list (array) of the access control entries in the discretionary access control list (DACL) for the resource. The DACL list is controlled by the resource owner.
When you format the result as a list, (“Get-Acl | Format-List”), in addition to the path, owner, and access list, Windows PowerShell displays the following properties and property values:
— Group: The security group of the owner.
— Audit: A list (array) of entries in the system access control list (SACL). The SACL specifies the types of access attempts for which Windows generates audit records.
— Sddl: The security descriptor of the resource displayed in a single text string in Security Descriptor Definition Language format. Windows PowerShell uses the GetSddlForm method of security descriptors to get this data.
Because Get-Acl is supported by the file system and registry providers, you can use Get-Acl to view the ACL of file system objects, such as files and directories, and registry objects, such as registry keys and entries.

<>

My Powershell script categories

Update ACL on a Microsoft DNS Active Directory record

4 thoughts on “Update ACL on a Microsoft DNS Active Directory record

  • January 13, 2017 at 7:48 pm
    Permalink

    This is a great script. Thanks, I’ve tested it in my lab and works. Just a few questions, though: what’s the purpose of those dummy GUID values in the “Create Access Rule” section? I’ve run the script without them and it seems to work just fine.

    Also, I’m trying to set permissions for “Modifiy” only, not full control. I’ve managed to achieve this in two lines:

    $acl_var.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,”GenericWrite”,”ALLOW”))
    $acl_var.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule $s,”GenericRead”,”ALLOW”))

    But haven’t figured out how to do it in just one line. Is that possible, or do we just have to keep adding individual permissions like I’ve done, line by line.

    Setting ACL permissions involves some of the most byzantine constructs I deal with as a sysadmin, and I pretty much always have to just scour the internet to see how someone else has done it.

    Reply
    • January 30, 2017 at 3:32 pm
      Permalink

      Hello Dave,

      The GUID is translated to “All”. It has been used for example in the script convert-SchemaGUID you can find here. Regarding the modify right, you are doing in the right way. All the available members for ActiveDirectoryRights are described here

      Regards

      Reply
  • May 4, 2021 at 2:15 pm
    Permalink

    Hi, I know this is an old post, but i wonder.

    Can you also change the ACL to be the same as another dns record?
    Or also change the inherited rights and change one entry from full control to read only?
    I tried to fiddle a bit with set-acl and reading from another record, but than it comes up with errors about ownership etc….

    ( for a group of static entry’s I don’t want the DHCP server to be able to change the A-record, in case anybody creates a device with the same hostname and asks for a DHCP lease)

    Reply

Leave a Reply to Richard Cancel reply

Your email address will not be published.