执行脚本需要管理员权限,且需要运行的计算机安装AD管理工具。
Function Set_DNSACL{
### $Source Server is Control destination Server.
param(
$SouServer,
$DstServer
)
$DNSServer = (Get-ADDomain).PDCEmulator
$ZoneNames = (Get-ADDomain).DNSRoot
$DNSRecord = foreach($ZoneName in $ZoneNames ){
Get-DnsServerResourceRecord -ComputerName $DNSServer -ZoneName $ZoneName.ZoneName | Where-Object {$_.hostname -eq $DstServer}
}
$ADComputer = Get-ADComputer -Identity $SouServer
$SID = New-Object System.Security.Principal.SecurityIdentifier $ADComputer.SID.Value
Push-Location -Path AD:\
$ACL = Get-Acl -Path $DNSRecord.DistinguishedName
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID, "GenericAll", "Allow"
$ACL.AddAccessRule($ACE)
$ACL | Set-Acl -Path $DNSRecord.DistinguishedName
Pop-Location
}