RSS

Tag Archives: protect from accidental deletion

PowerShell – Determine which Active Directory objects are protected from accidental deletion

In yesterday’s post I showed some commands to protect all or specific Active Directory objects from accidental deletion.

In some situations (by example preparing for a change) you might want to know which objects are protected from accidental deletion and which are not. Also when multiple people make changes in an Active Directory it might prove difficult to keep track of the changes.

To determine the protection status of AD objects, I use a script that checks the ACL of the AD Object. When Everyone is explicitly Denied access, it is protected from accidental deletion.

 

Tags: , , , , , , , , , , , ,

PowerShell – Protect Active Directory objects from accidental deletion

In a previous blog post I explained how to enable the Active Directory Recycle Bin which allows you to restore deleted active directory object.

But even though it’s great to be able to restore objects, it is even better to prevent accidental deletion. What accidental deletion basically does, is modify the permissions on an AD object to Deny Everyone so you won’t be able to delete it by accident.

More information about protection from accidental deletion can be found in “Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory” and “Windows Server 2008 Protection from Accidental Deletion“.

In Windows Server 2012 with all the new cmdlets, it has become much easier to enable protection from accidental deletion.

By example, you could use these commands:

#Get-ADobject class names
get-adobject -filter * | select objectclass | group objectclass

#Protect specific AD object classes from accidental deletion
get-adobject -filter * | where{($_.ObjectClass -eq “container”) -or ($_.ObjectClass -eq “organizationalunit”) -or ($_.ObjectClass -eq “user”) -or ($_.ObjectClass -eq “group”) -or ($_.ObjectClass -eq “computer”)} | Set-ADObject -ProtectedFromAccidentalDeletion $true

#Protect all AD organizational units from accidental deletion
Get-ADOrganizationalUnit -filter * | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

#Protect all AD objects from accidental deletion
Get-ADobject -filter * | Set-ADObject -ProtectedFromAccidentalDeletion $true

 

Tags: , , , , , , , , , , , , , ,

 
%d bloggers like this: