Enable protection from accidental deletion on all organizational units in Active Directory domain

As part of running the best practice analyser for Active Directory, I wanted to protect all organizational units from accidental deletion, this is achievable by using both the Get-ADOrganizationalUnit and Set-ADOrganizationalUnit cmdlets.

First of all I wanted to see which organizational units were not protected from accidental deletion, we can do this by invoking the Get-ADOrganizationalUnit against the domain to filter all organizational units where the ProtectedFromAccidentalDeletion value is set to ‘false’.

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Select-Object DistinguishedName

Now, I wanted to edit the value to be true and enable accidental protection on those organizational units returned, therefore using the original command and piping the output to the Set-ADOrganizationalUnit cmdlet to set the value to ‘true’.

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

By invoking  the initial command I can now verify that all organizational units are now protected agaisnt accidental deletion as no results are returned.

However, I would have one issue with the above is that I required one organizational unit not to be protected against accidental deletion due to an automated process which created and removed child organizational units from a particular search base in the domain. Therefore, I used the cmdlets above to return all organizational units that have the ProtectedFromAccidentalDeletion value set to true by filtering the query to a particular organizational unit and recursively setting the value on each child organizational unit.

Get-ADOrganizationalUnit -filter * -SearchBase "OU=Application,OU=ServiceAccounts,DC=domain,DC=local" -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $true} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $false

It is possible to set the ProtectedFromAccidentalDeletion value as true as the default behavior when creating new organisational units, as per this article.

I have not performed this step yet as I would like to do some further testing and also modify the automated workflow as described above that for any organizational units that are created as part of my process, the ProtectedFromAccidentalDeletion value is set to ‘false’.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s