Wednesday, February 18, 2015

Enable AD Recycing Bin and prevent accidental deletion for all objects

We've all have heard about the new recycling bin feature that was introduced with Server 2008 R2, sadly the recycling bin is not enabled by default... I do not know why this is but I feel it is a huge mistake on Microsoft's part...

So I wrote a little function that will enable the recycling bin. But that's not it, it will also set all OUs, computer accounts and user accounts to be protected from accidental deletion. A log file is saved in C:\windows\temp as well.

Preventive maintenance can be the most important maintenance.

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
Function Set-ADSafeMode {
<#
 .CREATED BY:
     Matthew A. Kerfoot
 .CREATED ON:
     2/18/2015
 .Synopsis
    Enables the AD recycling Bin and prevents all OUs\computer\users accounts from accidental deletion.
 .DESCRIPTION
    Checks the AD recycling bin to see if it is enabled, if not it will enable it. Then it checks all OUs `
    in the domain to see if they are being prevented from accidental deletion, if not it will check the `
    check box that prevents them from accidental deletion. This is also done for all user and computer accounts on your domain.
 .FUNCTIONALITY
    PowerShell v2 (must be ran from a DC(the activedirectory module is required))
 #>
[CmdletBinding(SupportsShouldProcess=$True)]
param(
        [Parameter(Mandatory=$false,ValueFromPipeline=$true)]
        [string]$VerbosePreference = "SilentlyContinue",
        [Parameter(Mandatory=$false,ValueFromPipeline=$true)]
        [string]$ErrorActionPreference = "SilentlyContinue",
        [Parameter(Mandatory=$false,ValueFromPipeline=$true)]
        [string[]]$LogDate = (get-date -format "MM-d-yy-HH")
    )

Function global:Write-Verbose { [string] $Message }

Import-Module activedirectory

$VerbosePreference = "Continue"

Start-Transcript -Path "C:\Windows\temp\$LogDate.log"

#More or less turns on and\or enables logging to begin.
Write-Verbose

$Bin = Get-ADOptionalFeature -Filter 'name -like "Recycle Bin Feature"' -Properties IsDisableable | `
       Select @{ Name = "NeedsToBeEnabled" ; Expression = { ( $_.IsDisableable ) } }

   If ($Bin.NeedsToBeEnabled -eq $False)
       {
         Write-Host "The Active Directory Recycling Bin has already been enabled!" -ForegroundColor "Green"
       }
   Else
       {
         Write-Host "The Active Directory Recycling Bin NEEDS TO BE ENABLED!" -ForegroundColor "Red"

         Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target $env:USERDOMAIN -WhatIf

         Write-Host "The Active Directory Recycling has now been enabled!!" -ForegroundColor "Red"
       }

            #Sets all OU to be protewcted against accidental deletion
            Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | `
            Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true -Verbose -WhatIf

        #Sets all user and Computer accounts to be protected from accidental deletion
        Get-ADObject -filter * -Properties ProtectedFromAccidentalDeletion | Where-Object {$_.ObjectClass -eq "user" -or $_.ObjectClass -eq "Computer"} | Set-ADObject -ProtectedFromAccidentalDeletion $true -WhatIf

    Write-Host "Script Completed Successfully!" -ForegroundColor "Green" | Tee-Object "C:\Windows\temp\$LogDate.log" -Verbose

#Ends the logfile
Stop-Transcript

 } Set-ADSafeMode

If you prevent fires you don't have to put out fires...
Posted by at
Minneapolis, Minnesota, USA Hennepin County, MN, USA
Subscribe to: Posts (Atom)