Share via

Powershell Help

Micro_Techie 116 Reputation points
2021-01-27T14:11:11.51+00:00

I am creating a Powershell script to Enable Accidental Deletion. The idea is that the script runs automatically as a scheduled task without intervention or input. I have made below scripts but getting errors as below :

Working Command :

Set-ADOrganizationalUnit -identity "OU=OneMore Organizational Unit,OU=GPO Groups,OU=Resource Groups,OU=TST,OU=08607,OU=place,DC=env,DC=prod,DC=org" -ProtectedFromAccidentalDeletion $True

1st Way Not Working :

$Path= "C:\Users\domad_afrtm045\Desktop\Auto\Output1.txt"
Get-ADOrganizationalUnit -Filter * -Properties *| where {$_.ProtectedFromAccidentalDeletion -eq $false} | Select-Object Canonicalname,DistinguishedName, ProtectedFromAccidentalDeletion, Name | Export-Csv -Path $Path -NoTypeInformation

$file = Get-Content -Path $Path
foreach ($i in $file) {

Set-ADOrganizationalUnit   -ProtectedFromAccidentalDeletion $True

}

Error: Set-ADOrganizationalUnit : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for

the argument, and then try running the command again.

At line:7 char:31

Set-ADOrganizationalUnit $i.distinguishedName -ProtectedFromAcci ...

~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidData: (:) [Set-ADOrganizationalUnit], ParameterBindingValidationException

+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.SetADOrganization

alUnit

2nd way Not Working:

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Error : This access control list is not in canonical form and therefore cannot be modified.

3rd Way

$protectedOrganizationalUnits = Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Select-Object distinguishedname | Export-csv C:\Users\domadmin_aror045\Desktop\Auto\Output1.txt
$protectedOrganizationalUnits | Select DistinguishedName, ProtectedFromAccidentalDeletion, Name
$protectedOrganizationalUnits | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Error : This access control list is not in canonical form and therefore cannot be modified.

Kindly suggest the errors or a working script, Thank You in advance for your time and help!

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | PowerShell
0 comments

Answer accepted by question author

Andreas Baumgarten 132.3K Reputation points MVP Volunteer Moderator
2021-02-22T22:17:09.573+00:00

Hi @Micro_Techie ,

Here we go with some logging: 

$logfile = "C:\Temp\Logfile.log"  
$OUs =  Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Properties * |  
    where {$_.ProtectedFromAccidentalDeletion -eq $true -AND $_.Name -match "TestOU"}  
  
Out-File -FilePath $logfile -Encoding utf8 -InputObject "OUs found:"  
Out-File -FilePath $logfile -Encoding utf8 -InputObject $OUs.DistinguishedName -Append  
Out-File -FilePath $logfile -Encoding utf8 -InputObject "`r`nHere we go ...." -Append  
  
foreach ($OU in $OUs)  
      {  
      $ouDN = $OU.DistinguishedName  
      try {  
          Set-ADOrganizationalUnit -identity  "$ouDN"  -ProtectedFromAccidentalDeletion $True  
          Out-File -FilePath $logfile -Encoding utf8 -InputObject "Value successfully set on OU: $OUDN" -Append  
          }  
       catch {  
          Out-File -FilePath $logfile -Encoding utf8 -InputObject "Something went wrong while setting value on OU: $OUDN" -Append}  
          }  

Out-File -FilePath $logfile -Encoding utf8 -InputObject "... Done" -Append

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Was this answer helpful?

13 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 132.3K Reputation points MVP Volunteer Moderator
    2021-01-28T08:14:21.157+00:00

    Could you please try this: 

    $OUs =  Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Properties * |
     where {$_.ProtectedFromAccidentalDeletion -eq $false}
foreach ($OU in $OUs)
    {
    Set-ADOrganizationalUnit -identity  "$OU.DistinguishedName"  -ProtectedFromAccidentalDeletion $True
    }

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    Was this answer helpful?

    0 comments
  2. Micro_Techie 116 Reputation points
    2021-01-28T08:05:56.573+00:00

    @Andreas Baumgarten - The command "Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Properties * |
    where {$_.ProtectedFromAccidentalDeletion -eq $false} " , runs fine and lists different OU where the property is False. It is the "Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True" which throws an error : This access control list is not in canonical form and therefore cannot be modified.

    If I run the command with the format as below , then it works fine :
    Set-ADOrganizationalUnit -identity "OU=OneMore Organizational Unit,OU=GPO Groups,OU=Resource Groups,OU=TST,OU=08607,OU=place,DC=env,DC=prod,DC=org" -ProtectedFromAccidentalDeletion $True

    Was this answer helpful?

    0 comments
  3. Micro_Techie 116 Reputation points
    2021-01-27T21:12:27.61+00:00

    Hi @Andreas Baumgarten ,

    Thank You for responding to my query. I have already used this command as mentioned in my post(2nd way), however, i get the below error :

    This access control list is not in canonical form and therefore cannot be modified.

    I get the same error when I run the command you have shared.

    Can you also suggest a working script where I can get a log file generated with the details of change made on every OU & if it has been successful or error out.

    Was this answer helpful?

  4. Andreas Baumgarten 132.3K Reputation points MVP Volunteer Moderator
    2021-01-27T14:28:05.48+00:00

    Maybe this will help: 

     Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Properties * |
    where {$_.ProtectedFromAccidentalDeletion -eq $false} |
        Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.