An organizational unit contains objects such as users and computers. All organizational units in an Active Directory domain must be protected from accidental deletion. If an organizational unit gets deleted accidently, the objects in the organizational unit will also be deleted. The users will not be able to log on to their computers if the deleted organizational unit contained the user objects. Windows clients will have to be rejoined to the Active Directory domain if the deleted organizational unit contained computer objects. We will explain how to check and enable protection setting for all organizational units in an Active Directory domain. We will explain the use of two important PowerShell cmdlets in this article: Get-ADOrganizationalUnit and Set-ADOrganizationalUnit. As the name suggests, Get-ADOrganizationalUnit is capable of retrieving a list of organizational units from an Active Directory domain and the Set-ADOrganizationalUnit PowerShell cmdlet is to be used in case you wish to set protection setting for a specific or all organizational units.
Before running PowerShell scripts
Before running PowerShell scripts explained in this article, please make sure you have a computer where Active Directory PowerShell modules are installed, and you have created a folder named “C:\Temp,” which will be used to store the report generated by the PowerShell script. It is recommended that you use a computer running Windows Server 2012 R2 or later operating system for running the PowerShell scripts.
Collecting protection setting for all organizational units
All organizational units in an Active Directory environment must be protected from accidental deletion. Microsoft designed a feature that protects an organizational unit from accidental deletion. In case you need to see whether all organizational units have protection setting enabled or not, execute the Get-ADOrganizationalUnit PowerShell cmdlet as explained in the command below:
Get-ADOrganizationalUnit -Filter * -Properties * | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Export-CSV “C:\Temp\OUStatus.CSV” –NoTypeInfo
The above command exports all organizational units from the current Active Directory domain with protection setting and then uses the “Export-CSV” cmdlet to export the output in CSV format in “C:\Temp\OUStatus.CSV” file. Note that by just running a single PowerShell command you are able to retrieve a list of organizational units with their protection setting in an Active Directory domain. It is important to note that above PowerShell command connects to the Active Directory domain to which the machine is joined. In case you wish to collect a list of organizational units with their protection setting in a different Active Directory domain, specify the “-Server” parameter as it is shown in the command below:
Get-ADOrganizationalUnit –Server <DomainName> -Filter * -Properties * | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Export-CSV “C:\Temp\OUStatus.CSV” –NoTypeInfo
Enabling protection setting for all organizational units
By using the previous PowerShell command, you can retrieve a list of organizational units with protection setting. If you wish to enable protection setting for all organizational units in an Active Directory domain, execute the PowerShell script below:
$AllOUs = Get-ADOrganizationalUnit –Property Identity
ForEach ($ThisOU in $AllOUs)
{
Set-ADOrganizationalUnit -Identity $ThisOU -ProtectedFromAccidentalDeletion $True
}
As you can see in the above PowerShell script, you can use Set-ADOrganizationalUnit PowerShell cmdlet to set the “ProtectedFromAccidentalDeletion” property to $True, which, in turn, protects an organizational unit from accidental deletion. The above PowerShell script does not provide any report whether the protection setting for the current organizational unit was set or not. The PowerShell script below can help set protection setting for all organizational units in an Active Directory domain specified in the “$ThisDomain” variable and then generate a report that includes the protection setting status for each Organizational Unit:
$OUProtectReport = “C:\Temp\OUProtectionReport.CSV”
Remove-item $OUPRotectReport -ErrorAction SilentlyContinue
$ThisDomain = “TechGenix.com”
$ThisStr = “OU Protection Setting Status in Active Directory Domain:”+$ThisDomain
Add-Content $OUProtectReport $ThisSTR
$ThisSTR = “OU Name, Is Protection Enabled?”
Add-Content $OUProtectReport $ThisSTR
$AllOUs = Get-ADOrganizationalUnit –Property Identity
ForEach ($ThisOU in $AllOUs)
{
Set-ADOrganizationalUnit –Server $ThisDomain -Identity $ThisOU -ProtectedFromAccidentalDeletion $True
$ProtStatus = Get-ADOrgaizationalUnit –Identity $ThisOU –Properties ProtectedFromAccidentalDeletion
$ProtOrNot = “No”
IF ($ProtStatus.ProtectedFromAccidentalDeletion -eq $True)
{
$ProtOrNot = “Yes”
}
$ThisSTR = $ThisOU+”,”+$ProtOrNot
Add-Content $OUProtectReport $ThisSTR
}
Write-Host “Protection Settings have been modified on the Organizational Units. Please check C:\Temp\OUProtectionReport.CSV”
Once the above script has been executed successfully, a report file named OUProtectionReport.CSV file will be created under “C:\Temp” folder. The report includes organizational unit distinguished name and the protection setting status as shown in the screenshot below:
The PowerShell script above connects to the Active Directory domain name specified in the “$ThisDomain” variable. If you wish to enable protection setting for all organizational units in a different Active Directory domain, please modify “$ThisDomain” variable to include the Active Directory domain.
Your insurance policy against accidental deletion
All organizational units must be protected from accidental deletion. You might have designed a procedure to be followed by the IT teams before creating an organizational unit in the production environment, but they might have forgotten to configure protection setting for the organizational unit. The above script can help you configure protection setting for all organizational units in the Active Directory domain specified in the “$ThisDomain” variable.
Photo credit: Shutterstock
Hi thanks for this awesome information. I am running the command below but I am getting the filter prompt?
PS C:\Windows\system32> $OUProtectReport = “C:\Temp\OUProtectionReport.CSV”
PS C:\Windows\system32> Remove-item $OUPRotectReport -ErrorAction SilentlyContinue
PS C:\Windows\system32> $ThisDomain = “ourdomain.local”
PS C:\Windows\system32> $ThisStr = “OU Protection Setting Status in Active Directory Domain:”+$ThisDomain
PS C:\Windows\system32> Add-Content $OUProtectReport $ThisSTR
PS C:\Windows\system32> $ThisSTR = “OU Name, Is Protection Enabled?”
PS C:\Windows\system32> Add-Content $OUProtectReport $ThisSTR
PS C:\Windows\system32> $AllOUs = Get-ADOrganizationalUnit –Property Identity
cmdlet Get-ADOrganizationalUnit at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
Filter:
What value should I enter?
Thanks!
What schema change would we need to make in order to default all new objects to have the protect object checkbox enabled. (by default all new objects)
Hi Michael – I am not sure if there is a way to make modifications at Schema level to apply default setting to all new organizational units, but what you can do is create an operational procedure that lists the items to be checked including enabling protection settings for new organizational units.
Hope this helps.
Thanks,
Nirmal
We can achieve this easily with:
Check:
> Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft DistinguishedName
Protect:
> Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true