?
Solved

Using vbscript to set "Protect object from accidental deletion" for AD group

Posted on 2011-09-29
3
Medium Priority
?
1,687 Views
Last Modified: 2012-05-12
Good morning.

I'm setting up a script to create groups in AD based on user input. How can I setup the script to put a checkmark in the box for "Protect this object from accidental deletion" on the Object tab for the properties of each group?

Thanks.
0
Comment
Question by:MortensonIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 2000 total points
ID: 36817464
I have not tested it by myself but you can try to  do it on one group for test (if you wish) and check if it works for you

Run this command on a DC in command-line

for /f "tokens=*" %i in ('dsquery group -name "GroupName"') do dsacls %i /d everyone:SDDT

For reference, you may wish to read this blog at
http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/09/25/protect-objects-from-accidential-deletion-in-windows-server-2008.aspx

Regards,
Krzysztof
0
 

Author Comment

by:MortensonIT
ID: 36817775
Nice. But, any way to do this without using dsacls? I'd like to run this from a vbscript that will be run on computer that don't necessarily have the dsacls functionality available.
0
 

Author Closing Comment

by:MortensonIT
ID: 36988285
I ended up using that command within a script -- wasn't quite what I was expecting, but it works. Running that command within this script was taking quite a long time, though, so, rather than have this run every time on every gruop within the OU each time (which could end up taking a long time, as this OU could contain thousands of groups eventually), I setup the script to check when was the last time that the group was created -- if within the last 7 days, then run the command (I did 7 days in case the server where this script is setup as a Scheduled Task was unavailable for some reason -- figured that 7 days would be plenty of time to make sure that the server was available):

Dim oWshShell                  'Windows Script Host Shell object
Set oWshShell = CreateObject("WScript.Shell")
Dim sAbsolutePath
sAbsolutePath = oWshShell.CurrentDirectory

dtm7DaysAgo = Date() - 7

Set objOU = GetObject("LDAP://ou=Test,dc=Acme,dc=com")
objOU.Filter = Array("Group")

For Each objGroup In objOU
      If objGroup.WhenCreated > dtmYesterday Or objGroup.WhenChanged > dtm7DaysAgo then
            sGroup = replace(objGroup.Name, "CN=", "")
            'wscript.echo sGroup & " - " & objGRoup.whencreated & " - " & objGroup.WhenChanged
            oWshShell.Run "%comspec% /c for /f ""tokens=*"" %i in ('dsquery group ""ou=test,dc=acme,dc=com"" -name " & sGroup & "') do dsacls %i /d everyone:SDDT"
      End If
Next
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question