One-Liner: Active Directory Protected Objects

This week I was asked how to get a list of Active Directory protected objects with PowerShell. Protected objects can't be deleted as they are critical to the health of Active Directory.

The easiest way I could think of is to use Get-ADObject with a specific LDAP filter.

Get-ADObject -LDAPFilter "(&(objectcategory=*)(systemflags:1.2.840.113556.1.4.803:=2147483648))"

Here's some output. Notice we have high privilege groups like 'Account Operators' and 'Backup Operators' included. We also have the well-known GUIDs of the Group Policy containers containing the Default Domain Policy and the Default Domain Controllers Policy (top two entries).

The command can be executed against each naming context.

Get-ADObject -LDAPFilter "(&(objectcategory=*)(systemflags:1.2.840.113556.1.4.803:=2147483648))" -SearchBase "CN=Configuration,DC=fabrikam,DC=com"

And, so on...

Get-ADObject -LDAPFilter "(&(objectcategory=*)(systemflags:1.2.840.113556.1.4.803:=2147483648))" -SearchBase "CN=ForestDNSZones,DC=fabrikam,DC=com"

Get-ADObject -LDAPFilter "(&(objectcategory=*)(systemflags:1.2.840.113556.1.4.803:=2147483648))" -SearchBase "CN=DomainDNSZones,DC=fabrikam,DC=com"

Short and sweet this week!