Techibee.com

Find/query protected OUs in Active Directory using Powershell

In this post, I will show you how to find list of Organization Units(OUs) in Active Directory that has protection enabled on them using Powershell

We know that, Active Directory now has built-in protection for Organization Units to prevent accidental deletions. This helps in unnecessary loss of data and saves the time that one need to spend on recovering the deleted data in case of such incidents.

We can determine if an OU has protection enabled or not by looking at the properties of it from ADUC (Active Directory Users and Computers). We can check this from PowerShell as well using the Get- Get-ADOrganizationalUnit cmdlet in ActiveDirectory module.

The Get-ADOrganizationalUnit cmd let by default returns all OUs in current Active Directory Domain. However, it returns only a set of properties not every attribute of that particular OU. This is by design of ActiveDirectory module provided by Microsoft. If you need additional Attributes, we need to use –Properties parameter. Look at the below examples.

Import-Module ActiveDirectory            
Get-ADOrganizationalUnit -Filter *            

Import-Module ActiveDirectory            
Get-ADOrganizationalUnit -Filter * -Properties *

Using this approach, we can query the value of ProtectedFromAccidentalDeletion property of each OU object which indicates the status of protection. If the value of it is $true then the OU has protection enable; otherwise no.

Now let us see how we can query the list of OUs that has protection enabled.

Import-Module ActiveDirectory            
Get-ADOrganizationalUnit -Filter * -Properties * | ? {$_.ProtectedFromAccidentalDeletion -eq $true} | Select Name

If you know the DistinguishedName of the Organization Unit, then you can query that directly to see if the protection is enabled.

Import-Module ActiveDirectory            
Get-ADOrganizationalUnit -Id "OU=US,DC=techibee,DC=com" -Properties * | Select ProtectedFromAccidentalDeletion

Similarly we can query by OU name as well.

Import-Module ActiveDirectory            
Get-ADOrganizationalUnit -LDAPFilter "(Name=US)" -Properties * | Select ProtectedFromAccidentalDeletion

If you are worried about the performance of the cmdlets, I would prefer you pass the required property names to –Properties attribute instead of *. That will make your queries faster.

 

Exit mobile version