Protecting Active Directory Objects From Accidental Deletion

IT professionals sometimes worry when enabling Domain Administration or other Active Directory privileges to designated local administrators. Accidents can and will happen. One of the more common accidents is the deletion of objects and/or profiles in Active Directory.  The Windows Server 2012 R2 implementation of Active Directory provides a solution to protect sensitive items in an organization’s AD from accidental deletion.

The checkbox highlighted in the image above protects against accidental deletion within Active Directory. 

Instead of browsing through multiple properties pages to enable this checkbox, the following PowerShell script can automate the process: 

$arrOUs = @("Sensitive OU1","Sensitive OU2")

$arrOUs | % { Get-ADObject -SearchBase "OU=$($_),DC=sub,DC=domain,DC=tld" -filter {(ObjectClass -eq "group")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true }

$arrOUs | % { Get-ADObject -SearchBase "OU=$($_),DC=sub,DC=domain,DC=tld" -filter {(ObjectClass -eq "user")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true }

Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

The 1st line defines an array of names of the sensitive OUs in question. The second and third lines get all the AD objects in the sensitive OUs with an ObjectClass of group or user and protect them from accidental deletion. Line 4 protects all OUs in AD from accidental deletion.