Sometimes when you want to clean up Active Directory by deleting or moving Organizational Units you get Access Denied error.
For a Domain Admin this is quite unusual message. This is related to security option Protect object from accidental deletion.
While you can simply uncheck it, press ok and move one OU it gets much harder if you've lots and lots of OU's to clean.
Fortunately one can always look for powershell solution to fix this.
Import-Module activedirectory
# Path to search in for OU's
$searchbase = "OU=Users,OU=Accounts,OU=Production,DC=test,DC=pl"
# Get all the OU's that are protected
$protectedOrganizationalUnits = Get-ADOrganizationalUnit -searchbase $searchbase -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $true}
# Display OU's that are protected
$protectedOrganizationalUnits | Select DistinguishedName, ProtectedFromAccidentalDeletion, Name
# Disable protection
#$protectedOrganizationalUnits | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $false
And that's it. Keep in mind the last line of script is disabled so that if you copy paste you have to remove # to make sure it works as required. I usually tend to display things first and uncomment later just to make sure the output is what I expected.
Active Directory replication is a critical process that ensures the consistent and up-to-date state of…
Hey there! Today, I wanted to introduce you to one of the small but excellent…
Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…
In today's digital age, the ability to create compelling and informative HTML reports and documents…
As part of my daily development, I create lots of code that I subsequently comment…
Today I saw an article from Christian Ritter, "PowerShell: Creating an "empty" PSCustomObject" on X…