DNS 记录 - 使用 PowerShell 更改当前所有权

Question 1

Import-Module D:\Powershell\DNS\DnsShell
Import-Module ActiveDirectory
Add-PSSnapin Quest.ActiveRoles.ADManagement

# Retrieve records
$servers = get-content D:\Powershell\Scripts\DNSRECORDS.txt
$newarray = @()
foreach ($computer in $servers) {
    Get-ADDnsPartition | Get-ADDnsRecord | Where-Object {$_.Name -eq $Computer} | % {
        $RecordName = $_.Name
        $RecordName = "GTLAW\$RecordName" + '$'
        $RecordDN = (Get-ADObject –Identity $_.ObjectGUID).DistinguishedName
        $Owner = (Get-Acl -Path "ActiveDirectory:://RootDSE/$RecordDN").Owner
        If ($Owner -eq "$RecordName") {
            Write-Host 'Good |' $_.Name '|' $Owner
        } Else {    
            Write-Host 'Bad |' $_.Name '|' $RecordName $Owner 
            $AdACL = get-ACL ("AD:\" + $RecordDN)
            $ADobject = New-Object System.Security.Principal.NTAccount($_.NAME + "$")
            $sid = $ADobject.Translate([System.Security.Principal.SecurityIdentifier])
            $AdACL.SetOwner($sid)
            set-acl -path ("AD:\" + $RecordDN) -AclObject $AdACL
        }
    }
}

Answer

Import-Module D:\Powershell\DNS\DnsShell
Import-Module ActiveDirectory
Add-PSSnapin Quest.ActiveRoles.ADManagement

# Retrieve records
$servers = get-content D:\Powershell\Scripts\DNSRECORDS.txt
$newarray = @()
foreach ($computer in $servers) {
    Get-ADDnsPartition | Get-ADDnsRecord | Where-Object {$_.Name -eq $Computer} | % {
        $RecordName = $_.Name
        $RecordName = "GTLAW\$RecordName" + '$'
        $RecordDN = (Get-ADObject –Identity $_.ObjectGUID).DistinguishedName
        $Owner = (Get-Acl -Path "ActiveDirectory:://RootDSE/$RecordDN").Owner
        If ($Owner -eq "$RecordName") {
            Write-Host 'Good |' $_.Name '|' $Owner
        } Else {    
            Write-Host 'Bad |' $_.Name '|' $RecordName $Owner 
            $AdACL = get-ACL ("AD:\" + $RecordDN)
            $ADobject = New-Object System.Security.Principal.NTAccount($_.NAME + "$")
            $sid = $ADobject.Translate([System.Security.Principal.SecurityIdentifier])
            $AdACL.SetOwner($sid)
            set-acl -path ("AD:\" + $RecordDN) -AclObject $AdACL
        }
    }
}

Question 2

我不想使用任何第三方模块。此脚本将遍历所有区域（有条件），并将每个 DNS 资源记录（有条件）设置为您指定的所有者，只要它当前归坏所有者列表所有。

$Cred=Get-Credential -Message "Input Domain ADMIN credentials" -UserName "<username>"

#This command automatically loads the AD module and allows the path "AD:\" to exist
$DNSServer=(Get-ADDomain).PDCEmulator
$CimSession=New-CimSession -ComputerName $DNSServer -Credential $Cred

$Owner=Get-ADUser -Identity "<name of account of owner you want to use>"
$SID=[System.Security.Principal.SecurityIdentifier]::new($Owner.SID.Value)
$BadOwners=@(<list of owners that you want to replace>)

#Customize this next line to your needs
$ZoneNames=Get-DnsServerZone -CimSession $CimSession -ComputerName $DNSServer | Where-Object { ($_.ZoneType -eq "Primary") -and !$_.IsAutoCreated -and $_.IsDsIntegrated -and !$_.IsReverseLookupZone -and ($_.ZoneName -ne "TrustAnchors") }
$ZoneNames=@($ZoneNames)
for ($i=0; $i -lt $ZoneNames.Count; $i++) {
  # The TimeStamp condition at the end of this line ensures that static records will not be modified.
  $DNSRecord=Get-DnsServerResourceRecord -CimSession $CimSession -RRType A -ComputerName $DNSServer -ZoneName $ZoneNames[$i].ZoneName | Where-Object { ($_.HostName -ne "@") -and (!$_.HostName.Contains(".")) -and ($_.TimeStamp -ne $null) }
  $DNSRecord=@($DNSRecord)
  for ($j=0; $j -lt $DNSRecord.Count; $j++) {
    $ACL=Get-Acl -Path "AD:\$($DNSRecord[$j].DistinguishedName)" -ErrorAction SilentlyContinue
    if ($ACL -ne $null) {
      if ($ACL.Owner -in $BadOwners) {
        Write-Verbose "Processing $($DNSRecord[$j].DistinguishedName)"
        $ACL.SetOwner($SID) 
        $ACL | Set-Acl -Path "AD:\$($DNSRecord[$j].DistinguishedName)"
      }
    }
    else {
      Write-Warning "$($DNSRecord[$j].DistinguishedName) ACL was NULL"
       }
  }
}
Remove-CimSession -CimSession $CimSession

Answer

我不想使用任何第三方模块。此脚本将遍历所有区域（有条件），并将每个 DNS 资源记录（有条件）设置为您指定的所有者，只要它当前归坏所有者列表所有。

$Cred=Get-Credential -Message "Input Domain ADMIN credentials" -UserName "<username>"

#This command automatically loads the AD module and allows the path "AD:\" to exist
$DNSServer=(Get-ADDomain).PDCEmulator
$CimSession=New-CimSession -ComputerName $DNSServer -Credential $Cred

$Owner=Get-ADUser -Identity "<name of account of owner you want to use>"
$SID=[System.Security.Principal.SecurityIdentifier]::new($Owner.SID.Value)
$BadOwners=@(<list of owners that you want to replace>)

#Customize this next line to your needs
$ZoneNames=Get-DnsServerZone -CimSession $CimSession -ComputerName $DNSServer | Where-Object { ($_.ZoneType -eq "Primary") -and !$_.IsAutoCreated -and $_.IsDsIntegrated -and !$_.IsReverseLookupZone -and ($_.ZoneName -ne "TrustAnchors") }
$ZoneNames=@($ZoneNames)
for ($i=0; $i -lt $ZoneNames.Count; $i++) {
  # The TimeStamp condition at the end of this line ensures that static records will not be modified.
  $DNSRecord=Get-DnsServerResourceRecord -CimSession $CimSession -RRType A -ComputerName $DNSServer -ZoneName $ZoneNames[$i].ZoneName | Where-Object { ($_.HostName -ne "@") -and (!$_.HostName.Contains(".")) -and ($_.TimeStamp -ne $null) }
  $DNSRecord=@($DNSRecord)
  for ($j=0; $j -lt $DNSRecord.Count; $j++) {
    $ACL=Get-Acl -Path "AD:\$($DNSRecord[$j].DistinguishedName)" -ErrorAction SilentlyContinue
    if ($ACL -ne $null) {
      if ($ACL.Owner -in $BadOwners) {
        Write-Verbose "Processing $($DNSRecord[$j].DistinguishedName)"
        $ACL.SetOwner($SID) 
        $ACL | Set-Acl -Path "AD:\$($DNSRecord[$j].DistinguishedName)"
      }
    }
    else {
      Write-Warning "$($DNSRecord[$j].DistinguishedName) ACL was NULL"
       }
  }
}
Remove-CimSession -CimSession $CimSession

DNS 记录 - 使用 PowerShell 更改当前所有权

答案1

答案2

相关内容