Disclaimer
This is my personal blog. The opinions and views I express are my own. The information I provide is on an as-is basis. I make no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this blog and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its use.

Protect Active Directory Organizational Units from Accidental Deletion with PowerShell

Today we’re talking a little more about Active Directory reconnaissance, for lack of a better term. If I start a new job, the first thing I want to do is find out how my infrastructure is configured. This script will search through Active Directory, or a subset of Active Directory, and look for Organizational Units that are not protected from accidental deletion.

My own best practice is to make sure everything in Active Directory is protected from accidental deletion. This script makes it easy to find the OUs that are not protected and protect them, without you having to waste a bunch of time clicking through Active Directory.

You could also remove the code below if you want to search for all object classes, not just OUs.

-and $_.ObjectClass -eq "organizationalUnit

It’s nothing complicated, but it is useful.

 

<#

*** THIS SCRIPT IS PROVIDED WITHOUT WARRANTY, USE AT YOUR OWN RISK ***

.DESCRIPTION
	Searches all OUs in Active Directory, or a subset of OUs and looks for the 
    ProtectedFromAccidentalDeletion property is set to $false.
    
    The code at the bottom of the script will find the OUs and set them to
    Protectedfromaccidental $true

.NOTES
	File Name: 
	Author: David Hall
	Contact Info: 
		Website: www.signalwarrant.com
		Twitter: @signalwarrant
		Facebook: facebook.com/signalwarrant/
		Google +: plus.google.com/113307879414407675617
		YouTube Subscribe link: https://www.youtube.com/c/SignalWarrant1?sub_confirmation=1
	Requires: Appropriate AD permissions
	Tested: PowerShell Version 5, Windows 10 and Windows Server 2012 R2

.PARAMETER 
    
		 
.EXAMPLE
     Run either OPTION 1 or OPTION 2

#>

# OPTION 1
# Find all OUs that are not protected from accidental deletion
Get-ADObject -Filter * -Properties CanonicalName,ProtectedFromAccidentalDeletion |
    Where-Object {$_.ProtectedFromAccidentalDeletion -eq $false -and $_.ObjectClass -eq "organizationalUnit"} | 
    Select-Object CanonicalName,ProtectedFromAccidentalDeletion |
    Out-GridView


# OPTION 2
# Find a smaller subset of OUs that are not protected from accidental deletion
Get-ADObject -Filter * -Properties CanonicalName,ProtectedFromAccidentalDeletion -SearchBase "OU=_Groups,DC=signalwarrant,DC=local" |
    Where-Object {$_.ProtectedFromAccidentalDeletion -eq $false -and $_.ObjectClass -eq "organizationalUnit"} |
    Set-ADObject -ProtectedFromAccidentalDeletion $True

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.