A new tick box was included in Active Directory Users and computer with Windows server 2008 - the ability to block the deletion of an object even if the user has admin rights to that object. Looking behind the scenes at what that tick box does is actually add a Deny permission to the ACL of the object for you.
Without the AD management pack, when trying to script this to ensure all OU's are protected, you cannot check for this tickbox - You have to enumerate the permissions and verify all (yes, there is more than 1 permission added) exist. Consequently, to 'tick' the box by a script, you have to add all the permissions which can be complicated. I have managed to do this but it got too deeply involved in .net to be a simple solution.
In the advent of the AD management pack for powershell though, life is made quite a lot simpler. The following (one-liner!) will do the job for you.
So, to break it down:
Get-ADOrganizationalUnit -filter {*} gets all OU's.
-searchbase (get-adrootdse).defaultnamingcontext uses the get-adrootdse command to return the naminig context. The searchbase for the Get-ADOrganizationalUnit command is then populated with this data
-prop ProtectedFromAccidentalDeletion enure you return the ProtectedFromAccidentalDeletion attribute
| where {$_.ProtectedFromAccidentalDeletion -eq $false} pass through to where-object filter and only accept OU's where the setting is false
| Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true pass through the filters set to enable the setting.
You might be thinking 'why not set the filter in the first line to 'ProtectedFromAccidentalDeletion -eq $false' rather than passing through to a where-oject? The response when trying to do this was :
Now we can live with the peace of mind that all our OU's cannot be deleted accidentally!
Without the AD management pack, when trying to script this to ensure all OU's are protected, you cannot check for this tickbox - You have to enumerate the permissions and verify all (yes, there is more than 1 permission added) exist. Consequently, to 'tick' the box by a script, you have to add all the permissions which can be complicated. I have managed to do this but it got too deeply involved in .net to be a simple solution.
In the advent of the AD management pack for powershell though, life is made quite a lot simpler. The following (one-liner!) will do the job for you.
Get-ADOrganizationalUnit -filter {*} -searchbase (get-adrootdse).defaultnamingcontext -prop ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
So, to break it down:
Get-ADOrganizationalUnit -filter {*} gets all OU's.
-searchbase (get-adrootdse).defaultnamingcontext uses the get-adrootdse command to return the naminig context. The searchbase for the Get-ADOrganizationalUnit command is then populated with this data
-prop ProtectedFromAccidentalDeletion enure you return the ProtectedFromAccidentalDeletion attribute
| where {$_.ProtectedFromAccidentalDeletion -eq $false} pass through to where-object filter and only accept OU's where the setting is false
| Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true pass through the filters set to enable the setting.
You might be thinking 'why not set the filter in the first line to 'ProtectedFromAccidentalDeletion -eq $false' rather than passing through to a where-oject? The response when trying to do this was :
Get-ADOrganizationalUnit : Searching on extended attribute 'ProtectedFromAccidentalDeletion' is not supported.
Now we can live with the peace of mind that all our OU's cannot be deleted accidentally!
Comments
Post a Comment