Being the responsible and forward thinking administrator that you are, you set enabled Accidental Deletion Protection for your Domain. But now, you are frustrated that you have to jump through a few more hoops just to delete something that you really want to delete! After all, it is kind of silly for the domain administrator to get an Access Denied message in Active Directory!
To fix this, we are going to modify Active Directory Users and Computers and add a “Yes – I am really sure. Please delete this” button.
Step 1:
Launch MMC and load Active Directory Users and Computers as a Snap-in (through the File menu). Save this custom ADUC and create a new shortcut to this console. For now on, this will be your default way into ADUC.
Step 2:
Select OU. Then go to Action – New Taskpad View. When going through the wizard, be sure to make this taskpad the default view for all windows.
Step 3:
Create a new task and select Shell Command. For the command, use “c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe”. For the parameters, use -command “”&” ‘”C:\Scripts\DeleteforRealz.ps1″”
Here is the script that you should use:
Add-PSSnapin Quest.ActiveRoles.ADManagement $GroupName=read-host "What is the Suffix Group Name? EX: APP_Adobe Flash would delete all groups with APP_Adobe Flash in the name" $Groups= Get-QADGroup *$GroupName* foreach ($Group in $Groups){ Get-QADPermission $Group -Deny | Remove-QADPermission Get-QADGroup $Group| Remove-QADObject } pause
As you can see, this script only deletes security groups. You can modify this script to search for other objects (like computers, users, OUs). It also makes use of the Quest AD cmdlets.
If you have any questions (or ways to improve this process), let me know in the comments below!
ahhh, I found it. At least for my case, I needed an additional parameter:
Get-QADPermission -Identity ‘amer.globalcsc.net/Production/Workstations/Fsg/FSG TEST/Blythewood/MFEWELL-1’ -Deny -Account Everyone -ApplyTo ThisObjectOnly -inherited | Remove-QADPermission
Hi Jim – Thank you so much for sharing this!
I tried this, and it doesn’t remove the permission. Watching it step-by-step in the Power GUI script editor, it doesn’t even highlight the piped command “remove-QADpermission”. I’ve tried adding -inheritance to the Get-QADcomputer feed to it, no joy. Yes, I am trying to delete a list of computers, some of which have the protected-from-accidental-deletion turned on. I don’t think the GET is getting the permission (or is, but not passing it to remove).
Can you help?