Protect OU's from Accidental Deletion
The Active Directory Directory Services Best Practices Analyzer checks to ensure all OU's have the Protect Against Accidental Deletion flag checked. If one is not, a the Severity level will increase to Warning.If you received this warning, and didn't just ignore it, then you likly opened up Active Directory Users and Computers, expanded your OU Hierarchy sat back and sighed after seeing what in some organizations could amount to hundreds of OU's.
Enter the quick fix.
To see how many unprotected OU's you have in your Active Directory domain, simply run;
PS> $UnprotectedOU = Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Properties ProtectedFromAccidentalDeletion |Where {$_.ProtectedFromAccidentalDeletion -eq $False}
PS> $UnprotectedOU.COUNT
3
To ensure all OU's in your domain have the Protected From Accidental Deletion flag set, you can execute the following:PS> $UnprotectedOU.COUNT
3
PS> Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Properties ProtectedFromAccidentalDeletion |Where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True
If you would prefer to unprotect all of your OU's just flip the $True and $False values in the above code.
Now when we run the original script again, we'll see that all OU's are now protected.
PS> $UnprotectedOU = Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Properties ProtectedFro
mAccidentalDeletion |Where {$_.ProtectedFromAccidentalDeletion -eq $False}
PS> $UnprotectedOU.COUNT
0
You can now re-run AD DS BPA.mAccidentalDeletion |Where {$_.ProtectedFromAccidentalDeletion -eq $False}
PS> $UnprotectedOU.COUNT
0
No comments :
Post a Comment