执行脚本需要管理员权限,且需要运行的计算机安装AD管理工具。

Function Set_DNSACL{
    ### $Source Server is Control destination Server.
    param(
        $SouServer,
        $DstServer
    )
    
    $DNSServer = (Get-ADDomain).PDCEmulator   
    $ZoneNames = (Get-ADDomain).DNSRoot
    $DNSRecord = foreach($ZoneName in $ZoneNames ){  
        Get-DnsServerResourceRecord -ComputerName $DNSServer -ZoneName $ZoneName.ZoneName | Where-Object {$_.hostname -eq $DstServer}  
    }  
    $ADComputer = Get-ADComputer -Identity $SouServer 
    $SID = New-Object System.Security.Principal.SecurityIdentifier $ADComputer.SID.Value
    
    Push-Location -Path AD:\
    
    $ACL = Get-Acl -Path $DNSRecord.DistinguishedName  
    $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID, "GenericAll", "Allow"  
    $ACL.AddAccessRule($ACE)  
    $ACL | Set-Acl -Path $DNSRecord.DistinguishedName  
    
    Pop-Location  
}