I need to execute commands from the DNSServer module, specifically Get-DnsServerResourceRecord and Remove-DnsServerResourceRecord under a domain account as well as a local account, but with limited permissions. I need to supply a PSCredential for a domain account with the permissions to execute the DNS commands, but they don’t take a Credential parameter.
I see that opening a Cim session using the credential and then executing the DNS commands with -CimSession is one option, but this appears to require both the account that is running the code and the account the credential is for to be local administrators as well as needing UAC to be disabled, which is a highly undesirable requirement.
Another option would be to open a PSSession to the localhost using the credential and execute the DNS commands in that session, however even with the the account running the code and the account for the credential having local and domain admin privileges, the DNS commands still error on permissions:
Failed to get the zone information for ourdomain.com on server 1.2.3.4.
- CategoryInfo : PermissionDenied: (ourdomain.com:root/Microsoft/…rResourceRecord) [Get-DnsServerResourceRecord], CimException
- FullyQualifiedErrorId : WIN32 5,Get-DnsServerResourceRecord
PSComputerName : ourcomputername
It seems that the permissions are not passed through the session to the commands run inside of it. Running the same DNS command directly under the account for credential or the account executing the code works.
What is the best way to execute these command with permissions limited as much as possible?
If the DNSServer module simply won’t work for this, are there any alternative ways of reading and deleting AD DNS records via PowerShell?