Thursday, January 23, 2014

Windows Server 2012 - Active Directory - Backup and Restore, Part 3: Protect from accidental deletion

NOTE TO READER
 
I wanted to test some 3rd party software to demonstrate what would perhaps be a "step up" even from the native Windows Server (2012) Recycle Bin. Unfortunately, it was not as simple as downloading the trial copy and taking a look. At present, I am still working to obtain such a trial copy with one company. If this is not possible, I'll either try another company or simply "move on" to something else.

In the meantime, I want to look at an option that could have been, perhaps, the first blog post of my "Backup and Restore" series even though it involves neither a backup nor a restore.
 
I'm referring to the protection of Active Directory objects from accidental deletion:
 
 
 
In the lines that follow, I'll present the feature and then some Powershell cmdlets to find protected (or unprotected) objects and adjust their status as necessary.
 
 ***

Objects in Active Directory can be protected from accidental deletion by displaying the advanced properties of an object, selecting the Object tab and checking the "Protect object against accidental deletion" box.
 
We can view the "Object" tab by enabling "Advanced Features"...
 



We then open the properties of the object, select the now visible "Object" tab and check the appropriate setting. In the example below, we protect the "ExchangeUsers" organizational unit:




This reduces the probability of someone deleting an object inadvertently.
 
 So... our inattentive administrator attempts to delete the object in question and sees a confirmation prompt:
 
 
 

Even if he ignores the warning and clicks OK, deletion of the object will fail:
 
 
 
 
So how does this work "behind the scenes"?

When we check the setting, an ACE (Access Control Entry) is added to the ACL (Access Control List) of the object. That entry is "Everyone" - Delete (and Delete-Subtree) - Deny.

In fact, if we examine the Security tab of the object, and explore the advanced properties, we see something like this: 
 
 
 
Here are the details:
 
 
 
 
This permission (Deny) is added when the setting is checked. Before the setting is checked, there is no entry for "Everyone" (but rather for "Authenticated users").
 
Without this useful setting, someone inattentive could click OK to confirm deletion.
 
With it enabled, that person would have to think about why they cannot delete the item, know or discover how to disable the protection, display advanced properties of the object, go to the object tab, uncheck the protect option and then attempt to delete the object again, with the confirmation giving them one last chance to reflect on what they are doing.
 
 
***

 
Managing the "Protect object from accidental deletion" setting with Powershell

We can protect various objects from deletion (not just organizational units): computers, groups and users as well. However, we may not want to protect all objects from deletion since this could complicate operations such as moving an object from one container to another (a move operation is, in fact, and copy operation followed by a deletion).
 
Moreover, it would not be feasible to check or uncheck this setting manually on perhaps hundreds of objects. Fortunately, PowerShell allows us to find both protected and unprotected objects and adjust the setting as desired.
 
Using organizational units in this example, the following cmdlets display, respectively, those protected from deletion and those that are unprotected:


PS C:\> Get-ADOrganizationalUnit -Filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $true} | fl name

name : ExchangeUsers
name : Staff
name : My Security Groups
name : MyTestGroups


PS C:\> Get-ADOrganizationalUnit -Filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | fl name

name : Microsoft Exchange Security Groups
name : Domain Controllers
name : Servers
name : Contacts
name : Clients


Now I'll verify if my domain controllers are protected from accidental deletion:

PS C:\> Get-ADComputer -SearchBase "OU=Domain Controllers,DC=mynet,dc=lan" -Filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $true} | fl name

PS C:\> Get-ADComputer -SearchBase "OU=Domain Controllers,DC=mynet,dc=lan" -Filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | fl name

name : DC2
name : DC5

The cmdlet is similar to the preceding cmdlet but we use the -SearchBase parameter to target the domain controllers organizational unit. We can see that the two domain controllers are not protected from accidental deletion. How can we protect them? Well, we could check the appropriate setting as shown above. If there is only an object or two, as is the case here, that would be acceptable. However, Powershell allows us to enable the feature on a multitude of objects with this cmdlet:
 

PS C:\> Get-ADComputer -SearchBase "OU=Domain Controllers,DC=mynet,dc=lan" -Filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADObject -ProtectedFromAccidentalDeletion $true
 
Note the last part of the entire command, after the second pipeline:
 
Set-ADObject -ProtectedFromAccidentalDeletion $true
 
This is the part that actually enables the protection.
 
 
Note: apparently, we must use the Set-ADObject cmdlet as opposed to the Set-ADComputer cmdlet:
 
PS C:\> Get-ADComputer -SearchBase "OU=Domain Controllers,DC=mynet,dc=lan" -Filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADComputer -ProtectedFromAccidentalDeletion $true

Set-ADComputer : A parameter cannot be found that matches parameter name 'ProtectedFromAccidentalDeletion'.
 
 
In any case, the domain controllers are now protected from accidental deletion:
 
PS C:\> Get-ADComputer -SearchBase "OU=Domain Controllers,DC=mynet,dc=lan" -Filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $true} | fl name

name : DC2
name : DC5
 
Note: the domain controllers OU could be protected as well by this method.
 
We can protect various types of objects from deletion using the example above (with Set-ADObject) by simply adjusting the type of object we are seeking in the first part of the command. We could use any of these variations:

Get-ADOrganizationalUnit

Get-ADComputer

Get-ADUser

Get-ADGroup
 
 
These are some other variations that could be used:

Get-ADObject -filter {(ObjectClass -eq "user")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true


The first cmdlet would protect all users (based on the integrated LDAP query - rather than "Get-ADUser") and the second would protect all OUs. This may or may not be suitable in your organization.

***

Reference:

AD DS: All OUs in this domain should be protected from accidental deletion

1 comment:

  1. Really enjoyed all your articles regarding AD Backup/Restore. Very handy.
    Thanks very much.

    ReplyDelete