I am creating a Powershell script to Enable Accidental Deletion. The idea is that the script runs automatically as a scheduled task without intervention or input. I have made below scripts but getting errors as below :

Working Command :

Set-ADOrganizationalUnit -identity "OU=OneMore Organizational Unit,OU=GPO Groups,OU=Resource Groups,OU=TST,OU=08607,OU=place,DC=env,DC=prod,DC=org" -ProtectedFromAccidentalDeletion $True

1st Way Not Working :

$Path= "C:\Users\domad_afrtm045\Desktop\Auto\Output1.txt"
Get-ADOrganizationalUnit -Filter * -Properties *| where {$_.ProtectedFromAccidentalDeletion -eq $false} | Select-Object Canonicalname,DistinguishedName, ProtectedFromAccidentalDeletion, Name | Export-Csv -Path $Path -NoTypeInformation

$file = Get-Content -Path $Path
foreach ($i in $file) {

Set-ADOrganizationalUnit   -ProtectedFromAccidentalDeletion $True

}

Error: Set-ADOrganizationalUnit : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for

the argument, and then try running the command again.

At line:7 char:31

Set-ADOrganizationalUnit $i.distinguishedName -ProtectedFromAcci ...

~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidData: (:) [Set-ADOrganizationalUnit], ParameterBindingValidationException

+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.SetADOrganization

alUnit

---

2nd way Not Working:

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Error : This access control list is not in canonical form and therefore cannot be modified.

---

3rd Way

$protectedOrganizationalUnits = Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Select-Object distinguishedname | Export-csv C:\Users\domadmin_aror045\Desktop\Auto\Output1.txt
$protectedOrganizationalUnits | Select DistinguishedName, ProtectedFromAccidentalDeletion, Name
$protectedOrganizationalUnits | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Error : This access control list is not in canonical form and therefore cannot be modified.

---

Kindly suggest the errors or a working script, Thank You in advance for your time and help!

Hi @Micro_Techie ,

Here we go with some logging:

$logfile = "C:\Temp\Logfile.log"  
$OUs =  Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Properties * |  
    where {$_.ProtectedFromAccidentalDeletion -eq $true -AND $_.Name -match "TestOU"}  
  
Out-File -FilePath $logfile -Encoding utf8 -InputObject "OUs found:"  
Out-File -FilePath $logfile -Encoding utf8 -InputObject $OUs.DistinguishedName -Append  
Out-File -FilePath $logfile -Encoding utf8 -InputObject "`r`nHere we go ...." -Append  
  
foreach ($OU in $OUs)  
      {  
      $ouDN = $OU.DistinguishedName  
      try {  
          Set-ADOrganizationalUnit -identity  "$ouDN"  -ProtectedFromAccidentalDeletion $True  
          Out-File -FilePath $logfile -Encoding utf8 -InputObject "Value successfully set on OU: $OUDN" -Append  
          }  
       catch {  
          Out-File -FilePath $logfile -Encoding utf8 -InputObject "Something went wrong while setting value on OU: $OUDN" -Append}  
          }  

Out-File -FilePath $logfile -Encoding utf8 -InputObject "... Done" -Append  

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Thank You very much for your help! It works fine now. Your help brought me a good learning experience :) @Andreas Baumgarten : Have a wonderful week ahead!

You are welcome :-)

---

Kind regards
Andreas Baumgarten

Maybe this will help:

 Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Properties * |
    where {$_.ProtectedFromAccidentalDeletion -eq $false} |
        Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True

---

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Hi @Andreas Baumgarten ,

Thank You for responding to my query. I have already used this command as mentioned in my post(2nd way), however, i get the below error :

This access control list is not in canonical form and therefore cannot be modified.

I get the same error when I run the command you have shared.

Can you also suggest a working script where I can get a log file generated with the details of change made on every OU & if it has been successful or error out.

Could you please test just this (to see which command is throwing the error message)

  Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Properties * |
     where {$_.ProtectedFromAccidentalDeletion -eq $false} 

---

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

@Andreas Baumgarten - The command "Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Properties * |
where {$_.ProtectedFromAccidentalDeletion -eq $false} " , runs fine and lists different OU where the property is False. It is the "Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $True" which throws an error : This access control list is not in canonical form and therefore cannot be modified.

If I run the command with the format as below , then it works fine :
Set-ADOrganizationalUnit -identity "OU=OneMore Organizational Unit,OU=GPO Groups,OU=Resource Groups,OU=TST,OU=08607,OU=place,DC=env,DC=prod,DC=org" -ProtectedFromAccidentalDeletion $True

Could you please try this:

$OUs =  Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Properties * |
     where {$_.ProtectedFromAccidentalDeletion -eq $false}
foreach ($OU in $OUs)
    {
    Set-ADOrganizationalUnit -identity  "$OU.DistinguishedName"  -ProtectedFromAccidentalDeletion $True
    }

---

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten