I had a request from a previous blog post on if it's possible to change permissions on reverse (PTR) Active Directory integrated DNS records. �Of course! �This is just a quick example on how you can add either Full Control or Modify rights to a specific AD user account to a PTR record.

It has been only minimally tested so YMMV. �If you have any questions, please leave a comment and I'll try to help out in any way I can. �The only variables you need to fill in are the IP address, username and ZoneReplicationScope. �It should figure out the zone and record name on it's own.

#requires -Module ActiveDirectoryfunction
Remove-DsAce {
    param(
        [Microsoft.ActiveDirectory.Management.ADObject]$AdObject,
        [string]$Identity,
        [System.DirectoryServices.ActiveDirectorySecurity]$Acl
    )
    
    $AceToRemove = $Acl.Access | Where-Object { $_.IdentityReference.Value.Split('\')[1] -eq "$Identity$" }
    $Acl.RemoveAccessRule($AceToRemove)
    Set-Acl -Path "ActiveDirectory:://RootDSE/$($AdObject.DistinguishedName)" -AclObject $Acl
}

function New-DsAce {
    param(
        [Microsoft.ActiveDirectory.Management.ADObject]$AdObject,
        [string]$Identity,
        [string]$ActiveDirectoryRights,
        [string]$Right,
        [System.DirectoryServices.ActiveDirectorySecurity]$Acl
    )
    
    $Sid = (Get-ADObject -Filter "samaccountname -eq '$Identity'" -Properties ObjectSID).ObjectSID
    $NewAccessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Sid, $ActiveDirectoryRights, $Right)
    $Acl.AddAccessRule($NewAccessRule)
    Set-Acl -Path "ActiveDirectory:://RootDSE/$($AdObject.DistinguishedName)" -AclObject $Acl
}

function Get-ReverseDnsInfo {
    param($IpAddress)
    
    $Array = $IpAddress.Split('.')
    $Record = "{0}.{1}" -f $Array[3], $Array[2]
    $Zone = "{0}.{1}.in-addr.arpa" -f $Array[1], $Array[0]
    [pscustomobject]@{
        'Zone'   = $Zone
        'Record' = $Record
    }
}

$ModifyRights = 'CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete, GenericWrite, WriteDacl, WriteOwner'
$FullControlRights = 'GenericAll'
$IpAddress = '10.208.4.6'
$SecurityIdentity = 'username'
$ZoneReplicationScope = 'Forest'
$DomainDn = (Get-AdDomain).DistinguishedName
$ReverseDnsInfo = Get-ReverseDnsInfo -IpAddress $IpAddress$DnsNodeObjectQueryParams = @{
    'SearchBase' = "DC=$($ReverseDnsInfo.Zone),CN=MicrosoftDNS,DC=$ZoneReplicationScopeDnsZones,$DomainDn" 
    'Filter'     = "objectClass -eq 'dnsNode' -and name -eq '$($ReverseDnsInfo.Record)'"
}

$DnsNodeObject = Get-ADObject @DnsNodeObjectQueryParams
$Acl = Get-Acl -Path "ActiveDirectory:://RootDSE/$($DnsNodeObject.DistinguishedName)"
New-DsAce -AdObject $DnsNodeObject -Identity $SecurityIdentity -ActiveDirectoryRights $FullControlRights -Right 'Allow' -Acl $Acl

Want more DNS record knowledge using PowerShell? Why not pick up at the next logical spot and begin learning about DNS records in this detailed, step-by-step, tutorial on managing DNS records.

Join the Jar Tippers on Patreon

It takes a lot of time to write detailed blog posts like this one. In a single-income family, this blog is one way I depend on to keep the lights on. I'd be eternally grateful if you could become a Patreon patron today!

Become a Patron!