Avoid accidental deletion: Enabling protection setting for organizational units using PowerShell

An organizational unit contains objects such as users and computers. All organizational units in an Active Directory domain must be protected from accidental deletion. If an organizational unit gets deleted accidently, the objects in the organizational unit will also be deleted. The users will not be able to log on to their computers if the deleted organizational unit contained the user objects. Windows clients will have to be rejoined to the Active Directory domain if the deleted organizational unit contained computer objects. We will explain how to check and enable protection setting for all organizational units in an Active Directory domain. We will explain the use of two important PowerShell cmdlets in this article: Get-ADOrganizationalUnit and Set-ADOrganizationalUnit. As the name suggests, Get-ADOrganizationalUnit is capable of retrieving a list of organizational units from an Active Directory domain and the Set-ADOrganizationalUnit PowerShell cmdlet is to be used in case you wish to set protection setting for a specific or all organizational units.

Before running PowerShell scripts

Before running PowerShell scripts explained in this article, please make sure you have a computer where Active Directory PowerShell modules are installed, and you have created a folder named “C:\Temp,” which will be used to store the report generated by the PowerShell script. It is recommended that you use a computer running Windows Server 2012 R2 or later operating system for running the PowerShell scripts.

Collecting protection setting for all organizational units

All organizational units in an Active Directory environment must be protected from accidental deletion. Microsoft designed a feature that protects an organizational unit from accidental deletion. In case you need to see whether all organizational units have protection setting enabled or not, execute the Get-ADOrganizationalUnit PowerShell cmdlet as explained in the command below:


Get-ADOrganizationalUnit -Filter * -Properties * | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Export-CSV “C:\Temp\OUStatus.CSV” –NoTypeInfo


The above command exports all organizational units from the current Active Directory domain with protection setting and then uses the “Export-CSV” cmdlet to export the output in CSV format in “C:\Temp\OUStatus.CSV” file. Note that by just running a single PowerShell command you are able to retrieve a list of organizational units with their protection setting in an Active Directory domain. It is important to note that above PowerShell command connects to the Active Directory domain to which the machine is joined. In case you wish to collect a list of organizational units with their protection setting in a different Active Directory domain, specify the “-Server” parameter as it is shown in the command below:


Get-ADOrganizationalUnit –Server <DomainName> -Filter * -Properties * | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Export-CSV “C:\Temp\OUStatus.CSV” –NoTypeInfo


Enabling protection setting for all organizational units

By using the previous PowerShell command, you can retrieve a list of organizational units with protection setting. If you wish to enable protection setting for all organizational units in an Active Directory domain, execute the PowerShell script below:


$AllOUs = Get-ADOrganizationalUnit –Property Identity
ForEach ($ThisOU in $AllOUs)
{
Set-ADOrganizationalUnit -Identity $ThisOU -ProtectedFromAccidentalDeletion $True
}


As you can see in the above PowerShell script, you can use Set-ADOrganizationalUnit PowerShell cmdlet to set the “ProtectedFromAccidentalDeletion” property to $True, which, in turn, protects an organizational unit from accidental deletion. The above PowerShell script does not provide any report whether the protection setting for the current organizational unit was set or not. The PowerShell script below can help set protection setting for all organizational units in an Active Directory domain specified in the “$ThisDomain” variable and then generate a report that includes the protection setting status for each Organizational Unit:


$OUProtectReport = “C:\Temp\OUProtectionReport.CSV”
Remove-item $OUPRotectReport -ErrorAction SilentlyContinue
$ThisDomain = “TechGenix.com”
$ThisStr = “OU Protection Setting Status in Active Directory Domain:”+$ThisDomain
Add-Content $OUProtectReport $ThisSTR
$ThisSTR = “OU Name, Is Protection Enabled?”
Add-Content $OUProtectReport $ThisSTR
$AllOUs = Get-ADOrganizationalUnit –Property Identity
ForEach ($ThisOU in $AllOUs)
{
Set-ADOrganizationalUnit –Server $ThisDomain -Identity $ThisOU -ProtectedFromAccidentalDeletion $True
$ProtStatus = Get-ADOrgaizationalUnit –Identity $ThisOU –Properties ProtectedFromAccidentalDeletion
$ProtOrNot = “No”
IF ($ProtStatus.ProtectedFromAccidentalDeletion -eq $True)
{
$ProtOrNot = “Yes”
}
$ThisSTR = $ThisOU+”,”+$ProtOrNot
Add-Content $OUProtectReport $ThisSTR
}
Write-Host “Protection Settings have been modified on the Organizational Units. Please check C:\Temp\OUProtectionReport.CSV”


Once the above script has been executed successfully, a report file named OUProtectionReport.CSV file will be created under “C:\Temp” folder. The report includes organizational unit distinguished name and the protection setting status as shown in the screenshot below:

protection setting

The PowerShell script above connects to the Active Directory domain name specified in the “$ThisDomain” variable. If you wish to enable protection setting for all organizational units in a different Active Directory domain, please modify “$ThisDomain” variable to include the Active Directory domain.

Your insurance policy against accidental deletion

All organizational units must be protected from accidental deletion. You might have designed a procedure to be followed by the IT teams before creating an organizational unit in the production environment, but they might have forgotten to configure protection setting for the organizational unit. The above script can help you configure protection setting for all organizational units in the Active Directory domain specified in the “$ThisDomain” variable.

Photo credit: Shutterstock

About The Author

4 thoughts on “Avoid accidental deletion: Enabling protection setting for organizational units using PowerShell”

  1. Hi thanks for this awesome information. I am running the command below but I am getting the filter prompt?

    PS C:\Windows\system32> $OUProtectReport = “C:\Temp\OUProtectionReport.CSV”
    PS C:\Windows\system32> Remove-item $OUPRotectReport -ErrorAction SilentlyContinue
    PS C:\Windows\system32> $ThisDomain = “ourdomain.local”
    PS C:\Windows\system32> $ThisStr = “OU Protection Setting Status in Active Directory Domain:”+$ThisDomain
    PS C:\Windows\system32> Add-Content $OUProtectReport $ThisSTR
    PS C:\Windows\system32> $ThisSTR = “OU Name, Is Protection Enabled?”
    PS C:\Windows\system32> Add-Content $OUProtectReport $ThisSTR
    PS C:\Windows\system32> $AllOUs = Get-ADOrganizationalUnit –Property Identity

    cmdlet Get-ADOrganizationalUnit at command pipeline position 1
    Supply values for the following parameters:
    (Type !? for Help.)
    Filter:

    What value should I enter?

    Thanks!

  2. What schema change would we need to make in order to default all new objects to have the protect object checkbox enabled. (by default all new objects)

  3. Hi Michael – I am not sure if there is a way to make modifications at Schema level to apply default setting to all new organizational units, but what you can do is create an operational procedure that lists the items to be checked including enabling protection settings for new organizational units.

    Hope this helps.

    Thanks,
    Nirmal

  4. PRASHANT NAGARAJ

    We can achieve this easily with:

    Check:
    > Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft DistinguishedName

    Protect:
    > Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top