We recently took on a new hire, although I was confident in their ability in managing Active Directory I wanted to take an extra step in protecting Organizational units from deletion. I was sure that I could do this quickly using PowerShell instead of right-clicking each of our 80 odd OUs and going into their properties.
To do this we need to open the Active Directory Module for Windows PowerShell as an administrator. Since I began in my System Admin role, I was creating OUs that were protected, so I only really needed to do this to the ones that were already here. So first we need to work out what OUs are not protected from this list using PowerShell I can easily pipe it into the command we need to issue to protect the OUs
The first command below will output a list of all OUs currently not protected.
Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion |
where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft
This command does the above but also sets the ProtectedFromAccidtenalDeletion to True.
Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion |
where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit
-ProtectedFromAccidentalDeletion $true
Once this command is issued, all the Organizational Units in our Active Directory have become protected and should help prevent you from getting into those sticky situations where someone (could be you) from deleting one by mistake.
Leave a Reply