Archive: Posts Tagged ‘script’

Prevent accidental deletions of AD objects

1 comment June 5th, 2013

The “ask DS team” posted a blog post about “Two lines that can save your AD from a crisis”. Not a bad thing to do as it will prevent you or another admin to accidentally delete users or computer objects.

The lines they wrote protected users, computers and OUs. Did they forget about Groups?

Anyway, to also include all your groups:

# Set the "ProtectedFromAccidentalDeletion" attribute to "true" on all users,
# computers and groups in your domain where the attribute is set to "false"

Get-ADObject -filter {ObjectClass -eq "user" -or objectclass -eq "group"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

If you try to delete a user og computer object, you will get an error stating the object is protected from accidental deletion. You will have to untick the “Protect object from accidental deletion”:



What if you’d like to move the user object to a different OU? Same error as above. You must set the attribute to ‘false’.

If you have hundreds of objects in an OU you’d like to move, it’s easier to use Powershell to revert the attribute of all objects in the spesific OU:

Get-ADObject -SearchBase 'OU=OU1,dc=domain,dc=com' -filter {ObjectClass -eq "user" -or objectclass -eq "group"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $true} | Set-ADObject -ProtectedFromAccidentalDeletion:$false

Will Gareth Bale stay with Spurs next season?


Documenting AD groups

No comments October 29th, 2010

AD Group membership should be documented, but there are none good built-in MS tools that can do it for you (atleast that I’m aware of). You can use tools such as “dsget group” but you can’t pipe it to Excel and get it user/customer friendly 😐

Here is a script that will do the job for you. It requires that you have Excel installed.
If you don’t have Excel, it will work on a trial version that you’ll find here.

'------------------Save me as .vbs ----------------------------------------------
' The script searces for all AD groups (as you can specify) and writes
' the group name with the group manager and its members to an Excel spred sheet.
' One sheet per group.
' Privilages to run: "domain users"
' v.1.1
' rsoe(a)
On Error Resume Next
Const MyDomain = "dc=spurs,dc=local"
' If you don't want all built-in groups but only groups in a spesific OU:
' Const MyDomain = "ou=ChildOU,ou=ParentOU,dc=spurs,dc=local"
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
' Open Excel for writing
Set objExcel = CreateObject("Excel.Application")
objExcel.Visible = True
' Find all groups
objCommand.CommandText = _
    "SELECT ADsPath, Name FROM 'LDAP://" & MyDomain & "' WHERE objectCategory='group'"
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
    Set objGroup = GetObject(objRecordSet.Fields("ADsPath").Value)
 strGroupName = objRecordSet.Fields("Name").Value

 ' Find if the group has a manager
 strManagedBy = objGroup.Get("managedBy")
 If IsEmpty(strManagedBy) = FALSE Then
       strManager = strManagedBy  
    Else strManager = "-"
    End If
 ' Give the sheet the Group name. One sheet per group.
 objExcel.Sheets.Add.Name = strGroupName

 arrMemberOf = objGroup.GetEx("member")
 objExcel.Cells(1, 1).Value = "Members of " & strGroupName & ":"
 objExcel.Cells(2, 1).Value = "Managed by: " & strManager
 i = 3
 count = 0
    ' Check to see if the group contains users
 If Err.Number <> E_ADS_PROPERTY_NOT_FOUND then
    For Each strMemberOf in arrMemberOf
          Set objMember = GetObject("LDAP://" & strMemberOf)
       strMemberName = right(objMember.Name,len(objMember.Name)-3)
       objExcel.Cells(i, 1).Value = strMemberName
       set objMember = nothing
       i = i + 1
       count = count + 1
    objExcel.Cells(i, 1).Value = "Member count: " & count
       ' The group don't have any members
    objExcel.Cells(i, 1).Value = "Member count: " & count
 End If

 i = 0
 count = 0
 strManagedBy = ""
 Set objGroup = nothing

GPO backup

No comments March 16th, 2010

When you take a System state backup of a DC it includes a backup of your SYSVOL with all your GPO’s. If a GPO get corrupted or is accidentally deleted you have to restore the System state to get the policy back. This operation is time consuming.

With the Group Policy Management Consol (GPMC) you can take backups of your GPO’s directly from the consol (and even restore them) which is less time consuming then a System state restore.

Even better are the scripts that follow with the GPMC. With them you can i.e. schedule a regular backup of all GPO’s.

I made a script that dumps the GPO’s to a file share, using some the scripts that followed with the installation of the GPMC.

Download the GPMC here for Win2003.


‘ Backup all GPO’s in the domain
‘ author: Rune Sørensen
‘ 14.04.2009 , v.1.0

‘ Save the script as a vbs file and run it once or create a scheduled task
‘ runnning the script.
‘ \\server\share should reflect your servername and sharename

Dim fso, strPath, objShell

‘ Filepath to the share
strPath = “\\server\share\GPO_Backup\*”

Set fso = CreateObject(“Scripting.FileSystemObject”)
Set objShell = CreateObject(“Wscript.Shell”)

‘ Delete the last taken backup

strExecuteBackup = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript BackupAllGPOs.wsf \\server\share\GPO_Backup”‘

strQueryBackups = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript QueryBackupLocation.wsf \\server\share\GPO_Backup > \\server\share\GPO_Backup\BackupLocations.txt”

strCreateReport = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript GetReportsForAllGPOs.wsf \\server\share\GPO_Backup”

objShell.Run strExecuteBackup
WScript.Sleep (120000)

objShell.Run strQueryBackups
WScript.Sleep (60000)

objShell.Run strCreateReport
Set objShell = nothing
Set fso = nothing

””””””””””””””””””””” EOF ”””””””””””’