Script to Change Permissions on DNS Records

SethRoberts-0739 31 Reputation points

I've found myself in a situation where some computers in our environment are not able to update their records in DNS when their IP address changes. This is primarily due to DHCP servers creating the record on their behalf when the DHCP server issues or renews leases. Needless to say, PowerShell isn't my strength. I need to find a way to add an ACL for the computer object to have modify rights of its DNS record. Scripting this seems like the fastest and most reliable way to accomplish this. I would very much appreciate any help the PowerShell experts can provide.

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,034 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,449 questions
0 comments No comments
{count} vote

Accepted answer
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 33,951 Reputation points Microsoft Vendor


    Please see if this works for you. Set $ComputerNames to your actual computer names.

    $ComputerNames = "computer1","computer2","computer3"  
    foreach($ComputerName in $ComputerNames){  
        $DNSServer = (Get-ADDomain).PDCEmulator   
        $ZoneNames = Get-DnsServerZone -ComputerName $DNSServer  
        $DNSRecord = foreach($ZoneName in $ZoneNames ){  
            Get-DnsServerResourceRecord -ComputerName $DNSServer -ZoneName $ZoneName.ZoneName | Where-Object {$_.hostname -eq $ComputerName}  
        $ADcomputer = Get-ADComputer -Identity $ComputerName  
        $SID = New-Object System.Security.Principal.SecurityIdentifier $ADcomputer.SID.Value  
        Push-Location -Path AD:\  
        $ACL = Get-Acl -Path $DNSRecord.DistinguishedName  
        $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID, "GenericAll", "Allow"  
        $ACL | Set-Acl -Path $DNSRecord.DistinguishedName  

    Best Regards,
    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Mohamed SAKHO 116 Reputation points


    Thank you very much!This helped me IMMENSELY!
    But I just want to know if it's possible to log it. and show me the record that not exist.
    Thank you by advance

    0 comments No comments