Script Center
>
Gallery
>
Active Directory
>
Script to Protect Organizational Units (OUs) from Accidental Deletion
Welcome to the TechNet Script Center Gallery! |
Each contribution is licensed to you under a License Agreement by its owner, not Microsoft. Microsoft does not guarantee the contribution or purport to grant rights to it.
|
Categories |
Script to Protect Organizational Units (OUs) from Accidental Deletion(Community)
Script Code
VBScript
strDomName = "LDAP://dc=contoso,dc=com"
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_DOMAIN_FLAG_OBJECT_TYPE_PRESENT = &H2
Const ADS_ACEFLAG_DONOT_INHERIT_ACE = &H10040
Const ADS_RIGHT_DS_DENY_DELETE_SUBTREE = &H1
Const ADS_RIGHT_DS_DENY_DELETE = &H1
Const ACTRL_DS_DELETE_TREE = &H10042
Const ACTRL_DOMAIN_DS_DELETE_TREE = &H2
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT Name, ADsPath, distinguishedName FROM " & "'" & strDomName & "'" & _
" WHERE objectCategory='organizationalUnit' ORDER BY Name"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strOuDN = objRecordSet.Fields("distinguishedName").Value
strLDAPOU = "LDAP://" & strOuDN
Set objSdUtil = GetObject(strLDAPOU)
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL
Set objAce = CreateObject("AccessControlEntry")
objAce.Trustee = "Everyone"
objAce.AceFlags = ADS_ACEFLAG_DONOT_INHERIT_ACE
objAce.AceType = ADS_RIGHT_DS_DENY_DELETE
objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objAce.AccessMask = ACTRL_DS_DELETE_TREE
objDacl.AddAce objAce
objSD.DiscretionaryAcl = objDacl
objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo
objRecordSet.MoveNext
Loop
'Set DENY DELETE ALL CHILD OBJECTS on DOMAIN
Set objSdUtil = GetObject(strDomName)
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL
Set objAce = CreateObject("AccessControlEntry")
objAce.Trustee = "Everyone"
objAce.AceFlags = ADS_ACEFLAG_DONOT_INHERIT_ACE
objAce.AceType = ADS_RIGHT_DS_DENY_DELETE
objAce.Flags = ADS_DOMAIN_FLAG_OBJECT_TYPE_PRESENT
objAce.AccessMask = ACTRL_DOMAIN_DS_DELETE_TREE
objDacl.AddAce objAce
objSD.DiscretionaryAcl = objDacl
objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo
wscript.echo "Script Finished"
Platforms
For online peer support, join
The Official Scripting Guys Forum!
To provide feedback or report bugs in sample scripts, please start a new discussion on the Discussions tab for this script.
Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Be the first to create a discussion.
|
