In this post, I will show you how to find list of Organization Units(OUs) in Active Directory that has protection enabled on them using Powershell
We know that, Active Directory now has built-in protection for Organization Units to prevent accidental deletions. This helps in unnecessary loss of data and saves the time that one need to spend on recovering the deleted data in case of such incidents.
We can determine if an OU has protection enabled or not by looking at the properties of it from ADUC (Active Directory Users and Computers). We can check this from PowerShell as well using the Get- Get-ADOrganizationalUnit cmdlet in ActiveDirectory module.
The Get-ADOrganizationalUnit cmd let by default returns all OUs in current Active Directory Domain. However, it returns only a set of properties not every attribute of that particular OU. This is by design of ActiveDirectory module provided by Microsoft. If you need additional Attributes, we need to use –Properties parameter. Look at the below examples.
Import-Module ActiveDirectory Get-ADOrganizationalUnit -Filter * Import-Module ActiveDirectory Get-ADOrganizationalUnit -Filter * -Properties *
Using this approach, we can query the value of ProtectedFromAccidentalDeletion property of each OU object which indicates the status of protection. If the value of it is $true then the OU has protection enable; otherwise no.
Now let us see how we can query the list of OUs that has protection enabled.
Import-Module ActiveDirectory Get-ADOrganizationalUnit -Filter * -Properties * | ? {$_.ProtectedFromAccidentalDeletion -eq $true} | Select Name
If you know the DistinguishedName of the Organization Unit, then you can query that directly to see if the protection is enabled.
Import-Module ActiveDirectory Get-ADOrganizationalUnit -Id "OU=US,DC=techibee,DC=com" -Properties * | Select ProtectedFromAccidentalDeletion
Similarly we can query by OU name as well.
Import-Module ActiveDirectory Get-ADOrganizationalUnit -LDAPFilter "(Name=US)" -Properties * | Select ProtectedFromAccidentalDeletion
If you are worried about the performance of the cmdlets, I would prefer you pass the required property names to –Properties attribute instead of *. That will make your queries faster.