We have thousands of records in our Microsoft DNS servers, and some of them are specific to one department. That department has had ACLs set on their records so that their IT staff can modify their own DNS records. Some of the ACLs now seem to be missing the ACEs which give that department's DNS admins group permission to update those specific records.
It's a fairly long list of records, so I though I'd use PowerShell 7 to blast through them and add the ACEs for their DNS admins group to those records en masse. As a test, I came up with these commands which seem to get me most of the way there:
Import-Module ActiveDirectory
$DnsAdminGroup = Get-ADGroup -Identity "DeptDnsAdmins"
$SID = New-Object System.Security.Principal.SecurityIdentifier $DnsAdminGroup.SID.Value
$ACL = Get-Acl -Path "ActiveDirectory:://RootDSE/DC=thing,DC=my.domain.org,CN=MicrosoftDNS,CN=System,DC=my,DC=domain,DC=org"
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID, "GenericAll", "Allow"
$ACL.AddAccessRule($ACE)
Set-ACL -Path "ActiveDirectory:://RootDSE/DC=thing,DC=my.domain.org,CN=MicrosoftDNS,CN=System,DC=my,DC=domain,DC=org" -AclObject $ACL
The trouble is the last command gives me "Set-ACL: Access is denied". This is unexpected because I'm running these commands in a PowerShell window while logged in with an account in the domain's Domain Admins group to a domained Windows 10 desktop. Shouldn't that mean that all my PowerShell commands have the necessary permissions to update DNS record ACLs? What do I have to do differently to get this to work?
