Evotec Services sp. z o.o., ul. Drozdów 6, Mikołów, 43-190, Poland

Remove Protect Object setting from Organizational Unit via PowerShell

Sometimes when you want to clean up Active Directory by deleting or moving Organizational Units you get Access Denied error.

For a Domain Admin this is quite unusual message. This is related to security option Protect object from accidental deletion.

While you can simply uncheck it, press ok and move one OU it gets much harder if  you've lots and lots of OU's to clean.

Solution

Fortunately one can always look for powershell solution to fix this.

Import-Module activedirectory 

# Path to search in for OU's
$searchbase = "OU=Users,OU=Accounts,OU=Production,DC=test,DC=pl"

# Get all the OU's that are protected
$protectedOrganizationalUnits = Get-ADOrganizationalUnit -searchbase $searchbase -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $true}

# Display OU's that are protected
$protectedOrganizationalUnits | Select DistinguishedName, ProtectedFromAccidentalDeletion, Name

# Disable protection
#$protectedOrganizationalUnits | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $false

And that's it. Keep in mind the last line of script is disabled so that if you copy paste you have to remove # to make sure it works as required. I usually tend to display things first and uncomment later just to make sure the output is what I expected.

Related Posts

Leave a comment

You must be logged in to post a comment.