Recursive PowerShell script to protect all OUs and Objects from Accidental Deletion

Question

I'm sure there has got to be an easier way that what I hand-jammed....

I'm trying to write and run a PowerShell script that will set the ProtectFromAccidentalDeletion flag to "true" recursively on all OUs, objects, sub-OUs and their objects. Basically, I want every "thing" and every "container of things" within a given OU to be protected against accidental deletion (and all that entails), but the script I've been developing still has me writing a separate line for each OU, each sub-OU, each OU's objects, etc. The script is now tens of lines long and I feel like I'm defeating the purpose of saving time by writing the script at all.

I've been using the following schema for OUs:

Get-ADOrganizationalUnit -Filter * -SearchBase “ou=OU,ou=rootOU,dc=domain,dc=com” | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

and this one for objects:

Get-ADobject -Filter * -SearchBase “ou=OU,ou=rootOU,dc=aemea,dc=kao,dc=com” | Set-ADobject -ProtectedFromAccidentalDeletion $true

Those work fine for the specific OU or objects I'm targeting, but I want to set this value for every object and OU underneath the OU I target.

Thanks in advance for the advice and help, folks!

Answer 1

1. Seems to be overkill; might have spent too much time on it already
2. I think its a bad idea
3. The AD Recycle Bin exists to quickly undelete objects.
4. I think there was probably some logic to not having this be the default on all objects -- and only on container objects.

Try an LDAP filter; include all of the other objectClasses you need.

Get-ADObject -LDAPFilter '(|(objectClass=organizationalUnit)(objectClass=User)(objectClass=Computer))'

Or you can go hog wild:

Get-ADObject -LDAPFilter '(objectClass=*)'

I really wouldn't do that - unknown consequences of modifying the ACL on every object in AD (which is essentially what the "protect from deletion is")