Active Directory PowerShell: List items with "Protect object from accidental deletion" setting

 

Introduction

Ever got in a situation where you, as AD domain admin, were blocked from deleting items?

Or did you ever receive an "Access denied" when you tried to delete items from AD, even with full admin rights?

Then you better check if AD has the "protect from accidental deletion" activated on the object, container or OU.

In case you want to check a larger collection of items for this setting, it quickly becomes complicated.

This article helps you to get an overview by using Powershell, and an export of the impacted items to a CSV file.

As explained by James ONeill (Windows Server 2008 Protection from Accidental Deletion)          

"The functionality to prevent accidental deletion is not based on a new attribute in Active Directory.  It is enabled by ticking a check box on the Object tab of the particular object you wish to protect.  The Object tab is only visible when the Advanced Features option is selected from the View menu of Active Directory Users and Computers. When the tick box is checked the permissions on the object are changed. A “Deny” permission is created which stops deletion of the object.  "

 

Overview

This script finds all AD objects protected from accidental deletions.

 

Credits

This script uses logic that has been developed by:

• Ashley McGlone, Microsoft Premier Field Engineer, March 2013,
• http://aka.ms/GoateePFE
• Source: https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989

 

Source references

Active Directory OU Permissions Report: Free PowerShell Script Download

• Ashley McGlone, March 25, 2013
• https://blogs.technet.microsoft.com/ashleymcglone/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download/

 

Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory

• abizer_hazratJune 9, 2009
• https://blogs.technet.microsoft.com/abizerh/2009/06/09/preventing-unwantedaccidental-deletions-and-restore-deleted-objects-in-active-directory/

 

Windows Server 2008 Protection from Accidental Deletion

• James ONeill, October 31, 2007
• https://blogs.technet.microsoft.com/industry_insiders/2007/10/31/windows-server-2008-protection-from-accidental-deletion/

 

Prerequisites

This script only runs if you can load the AD PS module eg. run the analysis on a DC.

 

Downloads (Gallery)

• List Protect object from accidental deletion setting in AD (full version)
• List Protect object from accidental deletion setting in AD (light version)

 

Source Code

Full Version (with progress bar)

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122

<############################################################################## Author: Peter Geelen Quest For Security  October 2016 http://identityunderground.wordpress.com This script finds all AD objects protected by accidental deletions. Credits: This script uses logic that has been developed by: - Ashley McGlone, Microsoft Premier Field Engineer, March 2013, http://aka.ms/GoateePFE  - Source: https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989 LEGAL DISCLAIMER This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,  INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.   We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code,  provided that You agree:  (i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded;  (ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded;and  (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys  fees, that arise or result from the use or distribution of the Sample Code.   This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm. ##############################################################################> #----------------------------------------------------------------------------- #Source references #----------------------------------------------------------------------------- #Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory #abizer_hazratJune 9, 2009 #https://blogs.technet.microsoft.com/abizerh/2009/06/09/preventing-unwantedaccidental-deletions-and-restore-deleted-objects-in-active-directory/ #Windows Server 2008 Protection from Accidental Deletion #James ONeill, October 31, 2007 #https://blogs.technet.microsoft.com/industry_insiders/2007/10/31/windows-server-2008-protection-from-accidental-deletion/ #----------------------------------------------------------------------------- #Prerequisites:  #this script only runs if you can load the AD PS module #eg. run the analysis on a DC #----------------------------------------------------------------------------- cls import-module activedirectory #----------------------------------------------------------------------------- #initialisation #----------------------------------------------------------------------------- #the CSV file is saved in the same directory as the PS file $csvFile = $MyInvocation.MyCommand.Definition -replace 'ps1','csv' $report = @() #(*) Credits  $schemaIDGUID = @{} ### NEED TO RECONCILE THE CONFLICTS ### $ErrorActionPreference = 'SilentlyContinue' Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID |  ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)} Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID |  ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)} $ErrorActionPreference = 'Continue' #(*) #----------------------------------------------------------------------------- #Functions #----------------------------------------------------------------------------- function CheckProtection {     param($obj)     $path = "AD:\" + $obj     Get-Acl -Path $path | `     Select-Object -ExpandProperty Access | `     Where-Object {($_.ActiveDirectoryRights -like "*DeleteTree*") -AND ($_.AccessControlType -eq "Deny")} | `         #(*)         Select-Object @{name='Object';expression={$obj}}, `         @{name='objectTypeName';expression={if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') {'All'} Else {$schemaIDGUID.Item($_.objectType)}}}, `         @{name='inheritedObjectTypeName';expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, `         #(*)         ActiveDirectoryRights,         ObjectFlags,         AccessControlType,         IdentityReference,         IsInherited,         InheritanceFlags,         PropagationFlags } #----------------------------------------------------------------------------- #MAIN #----------------------------------------------------------------------------- #add the top domain $OUs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName) #add the OUs $OUs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName #add other containers $OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter '(|(objectClass=container)(objectClass=builtinDomain))' | Select-Object -ExpandProperty DistinguishedName #if you don't want to scan the builtin container use line below instead of line above #$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter '(objectClass=container)' | Select-Object -ExpandProperty DistinguishedName #set the target objects types to investigate #including users, groups, contacts, computers $ldapfilter = '(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer))' #$ldapfilter = '(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer)(objectclass=Foreign-Security-Principal))' #not included: Foreign-Security-Principal, msTPM-InformationObjectsContainer, msDS-QuotaContainer, lostAndFound, $iSeqNo = 0 $OUCount = $OUs.Count ForEach ($OU in $OUs)  {     $iSeqNo++     $pct = ([int]($iSeqNo/$OUCount * 100))     $activity = "Analyzing container: "+ $OU     Write-Progress -activity $activity -status "Please wait" -percentcomplete $pct -currentoperation "now processing container $iSeqNo of $OUCount" -id 1     #check the protection of the parent container     $isProtected = ''     $isProtected = CheckProtection $OU     if ($isProtected -ne $null) {$report += $isProtected}          #Lookup the child target objects in the parent container     $objects = Get-ADObject -SearchBase $OU -SearchScope OneLevel -LDAPFilter $ldapfilter | Select-Object -ExpandProperty DistinguishedName     $iSubSeqNo = 0     $ObjCount = $objects.Count          #check the protection of the child objects     ForEach ($object in $objects)     {         $iSubSeqNo++         $iSubpct = ([int]($iSubSeqNo/$ObjCount * 100))         $SubActivity = "Analyzing object: "+ $object          Write-Progress -activity $SubActivity -status "Please wait" -percentcomplete $iSubpct -currentoperation "now processing object $iSubSeqNo of $ObjCount" -ParentId 1 -id 2              $isProtected = ''         $isProtected = CheckProtection $object         if ($isProtected -ne $null) {$report += $isProtected}     }         Write-Progress -activity "Analyzing object completed." -status "Proceeding" -Completed -ParentId 1 -id 2 } $report | Format-Table -Wrap $report | Export-Csv -Path $csvFile -NoTypeInformation

 

Light version (without progress bar)

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102

<############################################################################## Author: Peter Geelen Quest For Security  October 2016 http://identityunderground.wordpress.com This script finds all AD objects protected by accidental deletions. Credits: This script uses logic that has been developed by: - Ashley McGlone, Microsoft Premier Field Engineer, March 2013, http://aka.ms/GoateePFE  - Source: https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989 LEGAL DISCLAIMER This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,  INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.   We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code,  provided that You agree:  (i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded;  (ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded;and  (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys  fees, that arise or result from the use or distribution of the Sample Code.   This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm. ##############################################################################> #----------------------------------------------------------------------------- #Source references #----------------------------------------------------------------------------- #Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory #abizer_hazratJune 9, 2009 #https://blogs.technet.microsoft.com/abizerh/2009/06/09/preventing-unwantedaccidental-deletions-and-restore-deleted-objects-in-active-directory/ #Windows Server 2008 Protection from Accidental Deletion #James ONeill, October 31, 2007 #https://blogs.technet.microsoft.com/industry_insiders/2007/10/31/windows-server-2008-protection-from-accidental-deletion/ #----------------------------------------------------------------------------- #Prerequisites:  #this script only runs if you can load the AD PS module #eg. run the analysis on a DC #----------------------------------------------------------------------------- cls import-module activedirectory #----------------------------------------------------------------------------- #initialisation #----------------------------------------------------------------------------- #the CSV file is saved in the same directory as the PS file $csvFile = $MyInvocation.MyCommand.Definition -replace 'ps1','csv' $report = @() #(*) Credits  $schemaIDGUID = @{} ### NEED TO RECONCILE THE CONFLICTS ### $ErrorActionPreference = 'SilentlyContinue' Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID |  ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)} Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID |  ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)} $ErrorActionPreference = 'Continue' #(*) #----------------------------------------------------------------------------- #Functions #----------------------------------------------------------------------------- function CheckProtection {     param($obj)     $path = "AD:\" + $obj     Get-Acl -Path $path | `     Select-Object -ExpandProperty Access | `     Where-Object {($_.ActiveDirectoryRights -like "*DeleteTree*") -AND ($_.AccessControlType -eq "Deny")} | `         #(*)         Select-Object @{name='Object';expression={$obj}}, `         @{name='objectTypeName';expression={if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') {'All'} Else {$schemaIDGUID.Item($_.objectType)}}}, `         @{name='inheritedObjectTypeName';expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, `         #(*)         ActiveDirectoryRights,         ObjectFlags,         AccessControlType,         IdentityReference,         IsInherited,         InheritanceFlags,         PropagationFlags } #----------------------------------------------------------------------------- #MAIN #----------------------------------------------------------------------------- #add the top domain $OUs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName) #add the OUs $OUs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName #add other containers $OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter '(|(objectClass=container)(objectClass=builtinDomain))' | Select-Object -ExpandProperty DistinguishedName #if you don't want to scan the builtin container use line below instead of line above #$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter '(objectClass=container)' | Select-Object -ExpandProperty DistinguishedName #set the target objects types to investigate #including users, groups, contacts, computers $ldapfilter = '(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer))' #$ldapfilter = '(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer)(objectclass=Foreign-Security-Principal))' #not included: Foreign-Security-Principal, msTPM-InformationObjectsContainer, msDS-QuotaContainer, lostAndFound, ForEach ($OU in $OUs)  {     #check the protection of the parent container     $isProtected = ''     $isProtected = CheckProtection $OU     if ($isProtected -ne $null) {$report += $isProtected}          #Lookup the child target objects in the parent container     $objects = Get-ADObject -SearchBase $OU -SearchScope OneLevel -LDAPFilter $ldapfilter | Select-Object -ExpandProperty DistinguishedName     #check the protection of the child objects     ForEach ($object in $objects)     {         $isProtected = ''         $isProtected = CheckProtection $object         if ($isProtected -ne $null) {$report += $isProtected}     } } $report | Format-Table -Wrap $report | Export-Csv -Path $csvFile -NoTypeInformation

 

 

Disclaimer

LEGAL DISCLAIMER

This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.

THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

We grant You a non-exclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code,

provided that You agree:

(i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded;

(ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded; and

(iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the Sample Code.

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at Microsoft Terms of Use.