Share via

Script to Change Permissions on DNS Records

SethRoberts-0739 31 Reputation points
2021-04-13T15:48:49.07+00:00

I've found myself in a situation where some computers in our environment are not able to update their records in DNS when their IP address changes. This is primarily due to DHCP servers creating the record on their behalf when the DHCP server issues or renews leases. Needless to say, PowerShell isn't my strength. I need to find a way to add an ACL for the computer object to have modify rights of its DNS record. Scripting this seems like the fastest and most reliable way to accomplish this. I would very much appreciate any help the PowerShell experts can provide.
Best,
Seth

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,040 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,551 questions
0 comments
Accepted answer
  1. Ian Xue 37,621 Reputation points Microsoft Vendor
    2021-04-14T07:57:47.297+00:00

    Hi,

    Please see if this works for you. Set $ComputerNames to your actual computer names. 

    $ComputerNames = "computer1","computer2","computer3"  
foreach($ComputerName in $ComputerNames){  
    $DNSServer = (Get-ADDomain).PDCEmulator   
    $ZoneNames = Get-DnsServerZone -ComputerName $DNSServer  
    $DNSRecord = foreach($ZoneName in $ZoneNames ){  
        Get-DnsServerResourceRecord -ComputerName $DNSServer -ZoneName $ZoneName.ZoneName | Where-Object {$_.hostname -eq $ComputerName}  
    }  
    $ADcomputer = Get-ADComputer -Identity $ComputerName  
    $SID = New-Object System.Security.Principal.SecurityIdentifier $ADcomputer.SID.Value  
    Push-Location -Path AD:\  
    $ACL = Get-Acl -Path $DNSRecord.DistinguishedName  
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID, "GenericAll", "Allow"  
    $ACL.AddAccessRule($ACE)  
    $ACL | Set-Acl -Path $DNSRecord.DistinguishedName  
    Pop-Location  
}

    Best Regards,
    Ian Xue

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mohamed SAKHO 116 Reputation points
    2021-10-11T14:42:15.4+00:00

    Hello,

    Thank you very much!This helped me IMMENSELY!
    But I just want to know if it's possible to log it. and show me the record that not exist.
    Thank you by advance

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.