All OUs in this domain should be protected from accidental deletion

Best Practice Analyzer on one of our Domain Controllers was reporting; “All OUs in this domain should be protected from accidental deletion.”

Using Active Directory Administrative Center right click and OU and select properties, on the Object Tab is a checkbox “Protect from accidental deletion”

Protect From Accidental Deletion

Protect From Accidental Deletion

You could also use Active Directory Users and Computers you can right click and OU and select properties, on the Object Tab is a checkbox “Protect object from accidental deletion”

However if like me your AD is complex with lots of OU’s you may want to do this a little bit quicker.

Enter Powershell!

Using “Active Directory Module for Windows PowerShell”

First check which OUs aren’t protected:

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft

Then to protect them:
Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Then rerun the first command to verify the change has been made, you should get no results.

You could then double check using Active Directory Administrative Center  or ADUC.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Post Navigation