Automating the Infrastructure

Focusing on scripts, MOM, SMS, WMI, and any other technologies design to assist operations staff in performing their entire job function from the comfort of their own desk.

Reading AD Integrated DNS Records.

I recently had a requirement to read and change come permissions on DNS records in an AD Integrated zone.  I know I can use the MicrosoftDNS_AType WMI class to read the records, but this isn’t going to give me any access to permissions.  I figure that since the zone is AD Integrated, I can just use ADSI.  That is correct, but what I didn’t know is how to find the records.  You certainly won’t find them with the Users and Computers container, and ADSIEdit wasn’t showing them to me either.

 

After a little investigation, it turns out that DNS records are stored in a partition of the directory that ADSIEdit doesn’t load by default.  Assuming the name of the zone is contoso.com, the path to the partition is as follows:

 

dc=contoso.com,cn=MicrosoftDns,dc=DomainDnsZones,dc=contoso,dc=com

 

With that knowledge, you can enumerate the records with the following script (assuming you have a domain called contoso.com).

 

set objDNS = GetObject("LDAP://dc=contoso.com,cn=Microsoftdns,dc=DomainDnsZones,dc=contoso,dc=com")

 

For Each objRecord in objDNS

       WScript.Echo objRecord.Name

Next

 

Getting and settings AD permissions through script is a little tricky.  You can get a great discussion of it in this article in ScriptCenter. 

 

You can format your output however you like, but I always like to prep it for import into Excel or Access so I can do some analysis across the entire dataset.  My personal favorite delimiter is the vertical bar (|) since it just doesn’t show up all that often in other data.

 

To enumerate the DNS records with their trustees and associated rights, in a delimited format ready for import somewhere else, use the following script.  I know I’m just echoing to the screen, but either just direct the output to a file or setup and output file and change my wscript.echo’s to objFile.WriteLine’s.

 

Set objDNS = GetObject("LDAP://dc=bwren.com,cn=Microsoftdns,dc=DomainDnsZones,dc=bwren,dc=com")

 

For Each objRecord in objDNS

 

       Set objSD = objRecord.Get("ntSecurityDescriptor")

       Set objACL = objSD.DiscretionaryACL

 

       wscript.echo "Record|" & _

                                  "Trustee|" & _

                                  "AceFlags|" & _

                                  "AceType|" & _

                                  "Flags|" & _

                                  "ObjectType|" & _

                                  "InheritedObjectType|" & _

                                  "AccessMask"

                          

       For Each objACE in objACL

              wscript.Echo objRecord.Get("dc") & "|" & _

                                         objACE.Trustee & "|" & _

                                         objACE.AceFlags & "|" & _

                                         objACE.AceType & "|" & _

                                         objACE.Flags & "|" & _

                                         objACE.ObjectType & "|" & _

                                         objACE.InheritedObjectType & "|" & _

                                         objACE.AccessMask         

       Next

Next

 

I'll have a script done shortly that works with the Access Mask in more detail.

Published Monday, January 02, 2006 7:35 AM by Brian Wren
Filed under: ,

Comments

No Comments
Anonymous comments are disabled

This Blog

Syndication

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
 Microsoft
Page view tracker