6

I'm writing a PowerShell script to set the ProtectFromAccidentalDeletion flag to "true" recursively on all OUs, objects, sub-OUs and their objects.

I need every object and "container of objects" within an OU protected against accidental deletion (and all that entails).

The script has a separate line for each OU, each sub-OU, each OU's objects, etc. It is quite long and I feel like I'm defeating the purpose of saving time by writing the script at all.

I use the following command for OUs:

Get-ADOrganizationalUnit -Filter * -SearchBase “ou=OU,ou=rootOU,dc=domain,dc=com” | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

and this for objects:

Get-ADobject -Filter * -SearchBase “ou=OU,ou=rootOU,dc=aemea,dc=kao,dc=com” | Set-ADobject -ProtectedFromAccidentalDeletion $true

Those work fine for the specific OU or objects I'm targeting, but how can I set this value for every object and OU underneath the OU I target?

Thanks in advance for the advice and help, folks!

Improve this question
1
  • 2
    Would just need to add -searchscop subtree to your get-adobject command and it will go through all subobjects Commented Feb 19 at 20:01

2 Answers 2

Reset to default
0
  1. Seems to be overkill; might have spent too much time on it already
  2. I think its a bad idea
  3. The AD Recycle Bin exists to quickly undelete objects.
  4. I think there was probably some logic to not having this be the default on all objects -- and only on container objects.

Try an LDAP filter; include all of the other objectClasses you need.

Get-ADObject -LDAPFilter '(|(objectClass=organizationalUnit)(objectClass=User)(objectClass=Computer))'

Or you can go hog wild:

Get-ADObject -LDAPFilter '(objectClass=*)'

I really wouldn't do that - unknown consequences of modifying the ACL on every object in AD (which is essentially what the "protect from deletion is")

Improve this answer
2
  • I agree that it's not a best practice, but as with many things, this task comes from higher pay grades. Where in my script would I need to insert the code you listed? And would I need to remove anything? Commented Mar 18, 2021 at 17:07
  • There is absolutely nothing wrong with setting this. Your post has zero actual reasons why this might be bad. Commented Oct 7 at 13:33
0

Documentation about Get-ADOrganizationalUnit states that it does not do full search over the nested OUs.The best it can do is to search 2 levels below

-SearchScope Specifies the scope of an Active Directory search. The acceptable values for this parameter are:

Base or 0 OneLevel or 1 Subtree or 2

A Base query searches only the current path or object.

A OneLevel query searches the immediate children of that path or object.

A Subtree query searches the current path or object and all children of that path or object.

So I would rely on recursion here:

function Set-ProtectedFromAccidentalDeletionRecursive { param ( [string]$SearchBase ) $ous = Get-ADOrganizationalUnit -Filter * -SearchBase $SearchBase foreach ($ou in $ous) { # Set protection on this OU Set-ADOrganizationalUnit -Identity $ou.DistinguishedName -ProtectedFromAccidentalDeletion $true -WhatIf # Recursively process child OUs Set-ProtectedFromAccidentalDeletionRecursive -SearchBase $ou.DistinguishedName } } $rootOU = "ou=OU,ou=rootOU,dc=domain,dc=com" Set-ProtectedFromAccidentalDeletionRecursive -SearchBase $rootOU

P.S. I don't have where to test for now, so added -WhatIf to Set-ADOrganizationalUnit so you can see results without changing anything.

Improve this answer
2
  • it does not do full search over the nested OUs.The best it can do is to search 2 levels below that is not accurate. SearchScope is an enum. The values of the enum are 0, 1, and 2. Subtree is not limited to anything. Commented Sep 24 at 6:22
  • The documentation says the opposite: A Subtree query searches the current path or object and all children of that path or object. all children. Commented Oct 7 at 13:31

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.