Protect resources from accidental deletion

Today I want to share with you my script which will help protect resources from accidental deletion.

In first way script is gathering all domains in Active Directory forest.
Next OU and DNS zone objects which are unprotected are pulled out.
Final step is setting flag ProtectedFromAccidentalDeletioin for those objects to $True.

And this is how you should protect resources from accidental deletion. 🙂

Script:

Import-Module ActiveDirectory
$Domains = (Get-ADForest).Domains

foreach($Domain in $Domains)
{
    Try
    {
        $UnprotectedOUs = (Get-ADObject -Filter 'ObjectClass -like "organizationalUnit"' -SearchScope Subtree -Server $Domain -Properties ProtectedFromAccidentalDeletion | Where-Object {$_.ProtectedFromAccidentalDeletion -eq $False}).DistinguishedName
    }
    Catch
    {
        Write-Error Unexpected error occured during OUs searching. Error: $_.Exception.Message
    }
    
    Try
    {
        $UnprotectedDNSZones= (Get-ADObject -Filter 'ObjectClass -like "dnsZone"' -SearchScope Subtree -Server $Domain -Properties ProtectedFromAccidentalDeletion | Where-Object {$_.ProtectedFromAccidentalDeletion -eq $False}).DistinguishedName
    }
    Catch
    {
        Write-Error Unexpected error occured during DNS zones searching. Error: $_.Exception.Message
    }

    $OUCounter = $UnprotectedOUs.Count
    Foreach($OU in $UnprotectedOUs)
    {
        Write-Progress -Activity "Protecting OUs in $Domain domain" -PercentComplete (($i/$OUCounter) * 100) -Status "Percent processed:"
        Try
        {
            $i++
            Set-ADObject -Identity $OU -ProtectedFromAccidentalDeletion $true -Server $Domain
            Write-Host $Domain : OU $OU done
        }
        Catch
        {
            Write-Error Unexpected error occured during OU $OU modification. Error: $_.Exception.Message
        }
        
    }

    $DNSZoneCounter = $UnprotectedDNSZones.Count
    Foreach($DNSZone in $UnprotectedDNSZones)
    {
        Write-Progress -Activity "Protecting DNS zones in $Domain domain" -PercentComplete (($i/$DNSZoneCounter) * 100) -Status "Percent processed:"
        Try
        {
            $i++
            Set-ADObject -Identity $DNSZone -ProtectedFromAccidentalDeletion $true -Server $Domain
            Write-Host $Domain : OU $OU done
        }
        Catch
        {
            Write-Error Unexpected error occured during DNS zone $DNSZone modification. Error: $_.Exception.Message
        }
        
    }
}
Write-Host Script finished!
Pause

As script is scanning all Active Directory forest for unportected objects, it’s neccessary to use for it account with Enterprise admin privileges.
If this is not possible $Domains variable in second line of script should contain only domains to which your account has proper permission.

I hope it will be usefull for some of you 😉
Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.