# add-dnsserverzoneacl.ps1 [CmdletBinding()] param ( [Parameter(Mandatory=$true, HelpMessage="Geben Sie den Namen der DNS-Zone an, für die die ACLs aktualisiert werden sollen.", ValueFromPipeline=$true)] [string[]]$dnszones="", [Parameter(Mandatory=$true, HelpMessage="Geben Sie den Namen des Serviceaccounts an, für den die ACLs aktualisiert werden sollen.")] [string]$serviceaccount = "msxfaq\dnsupdater" ) Write-Host "Add-DNSServerZoneACL:Start" Write-Host " DNSZone : $($dnszone)" Write-Host " ServiceAccount : $($ServiceAccount)" Write-Host "Import ActiveDirectory module for ADSI access" Import-Module ActiveDirectory Write-Verbose "Prepate ACE for $($serviceaccount) with GenericAll permissions" $sid = (New-Object System.Security.Principal.NTAccount($ServiceAccount)).Translate([System.Security.Principal.SecurityIdentifier]) Write-Host "ServiceAccountsid: $($sid)" $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule( $sid, [System.DirectoryServices.ActiveDirectoryRights]::GenericAll, [System.Security.AccessControl.AccessControlType]::Allow, [Guid]::Empty, [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None ) foreach ($dnszone in $dnszones) { Write-Verbose "Processing DNS-Zone: $($dnszone)" $zoneDN = (Get-DNSServerZone $DnsZone).Distinguishedname Write-Host " ZoneDN: $zoneDN" Write-Host "Get all DNS records in the zone and update ACLs" $records = Get-ADObject -SearchBase $zoneDN -LDAPFilter "(objectClass=dnsNode)" -Properties distinguishedName Write-Host "Total DNS-Records found: $($records.count)" foreach ($record in $records) { try { $path = "AD:$($record.DistinguishedName)" Write-Host "Processing record: $($path)" -NoNewline $acl = Get-Acl -Path $path Write-Host " AddACL" -ForegroundColor Blue -NoNewline $acl.AddAccessRule($ace) Write-host " Update" -ForegroundColor Blue -NoNewline Set-Acl -Path $path -AclObject $acl Write-Host " OK" -ForegroundColor Green } catch { Write-Host "Fail: $_" -ForegroundColor Red } } } Write-Host "Add-DNSServerZoneACL:End"