Script the Protection of an OU from Accidental Deletion – Windows Server 2003

“Although bulk deletions are rare, they are disruptive events that you can guard against by removing the Delete and the Delete Subtree permissions in Active Directory. To guard against accidental deletions, you should remove the Delete and Delete Subtree permissions on organizational units (OUs) that contain user accounts, computer accounts, and security groups in Active Directory. You should also remove the Delete All Child Objects permission on the parent container of an OU that you want to protect.”

This above is taken from https://technet.microsoft.com/en-us/library/cc773347(WS.10).aspx 

The TechNet article then shows you how to manually, through the GUI, modify the access control entries (ACE’s).  You can find details here.  

So, how do you go about this task if you have quite a few OU’s?  You need the following from the Windows Server 2003 Support tools:

• dsquery
• dsacls

dsquery will, by default, only return the first 100 results.  You’ll need the ‘–limit 0’ to process more than 100 objects, in this case OUs.

To protect all OU’s in a domain run the following:

 for /F "tokens=*" %%i in ('dsquery OU -limit 0') do dsacls %%i /D "EVERYONE:SDDCDT"
  

To protect a specific OU and all leaf OU’s:

 for /F "tokens=*" %%i in ('dsquery OU “ou=target,dc=domain,dc=net” -limit 0') do dsacls %%i /D "EVERYONE:SDDCDT"
  

To revert the all OU’s ACE’s back to the Schema default:

 For /F “tokens=*" %%i in ('dsquery OU –limit 0') do dsacls %%i /S