Sergey Nivens - Fotolia

Manage Learn to apply best practices and optimize your operations.

Preserve your AD organizational unit with these commands

Active Directory OUs maintain order in an IT organization. But if you're not careful, an errant keystroke can topple everything.

IT admins use Active Directory to construct a hierarchy of organizational units to maintain control and give users...

access to resources across the network. If a piece of this directory service gets deleted inadvertently during maintenance work, however, it can bring the company to its knees.

AD organizational units (OU) arrange systems, users and other AD OUs into a specific order. But the accidental removal of an AD organizational unit can cause a massive disruption. For example, if a sysadmin deletes the OU that holds certain user accounts, those workers can't log in to their PCs. Until an administrator recovers the OU, productivity will suffer. Even though Active Directory has a Recycle Bin, a complete recovery can take several hours in a large organization.

Check that each AD organizational unit is protected quickly using a PowerShell script.

Determine the protection status for one unit

To check the protection setting of a single AD organizational unit -- for example, the ComputersOU unit -- use the Identity parameter:

Get-ADOrganizationalUnit –Identity "OU=ComputersOU, DC=TechTarget, DC=Com" –Properties ProtectedFromAccidentalDeletion

The ProtectedFromAccidentalDeletion property will return a FALSE value if the AD organizational unit is not protected.

How to install the Active Directory module

To get the necessary Active Directory cmdlets to install the AD module for PowerShell, install the Remote Server Administration Tools package for your OS.

Next, enable the AD module. Go to Programs and Features in the Control Panel, and follow this path: Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory Module for Windows PowerShell.

Lastly, run the Update-Help command to download the latest documentation.

Are all AD organizational units protected?

To identify the protection status of OUs in all AD domains, use the PowerShell script below. It collects all OUs, looks at the protection setting of them and then saves the results to a CSV file.


Remove-item $ReportFile -ErrorAction

$ThisStr="OU Name, OU Path, In AD Domain, Final Status"

Add-Content "$TestCSVFile" $ThisStr

$DomainList = "C:\Temp\DomainList.TXT"

ForEach ($DomName in Get-Content "$DomainList")


    $AllOUs = Get-ADOrganizationalUnit -Server $DomName -filter * -Properties * | where {$_.ProtectedFromAccidentalDeletion -eq $false}

    $TotOUNow = $RAllOU.Count

    IF ($TotOUNow -ne 0)


        ForEach ($Item in $AllOUs)


            $FinalSTR = '"'+$Item.Name+'"'+","+'"'+$Item.DistinguishedName+'"'+","+$ThisDomain+",Not Ok"

            Add-Content "$ReportFile" $FinalSTR



The script generates a report file with the OU name, OU distinguished path, OU domain name and the OU protection-setting status.

Protection status results
Figure 1. A PowerShell script can check the protection settings for all AD organizational units and produce a CSV file with the results.

The script's results indicate that the protection setting for UsersOU, ComputersOU, ServersOU and domain controllers is not enabled. The script collects the OU distinguished name to make it easier to locate the AD organizational unit and then enable the protection setting.

To turn on the protection for one or all AD organizational units in domain, use the Set-ADOrganizationalUnit cmdlet.

Next Steps

Gains and losses when Active Directory functional levels change

PowerShell alleviates tedium from Active Directory work

Advantages to third-party backup tools for Active Directory

Dig Deeper on Windows administration tools