Share via


One-Liner: Active Directory Protected Objects

This week I was asked how to get a list of Active Directory protected objects with PowerShell. Protected objects can't be deleted as they are critical to the health of Active Directory.

The easiest way I could think of is to use Get-ADObject with a specific LDAP filter.

Get-ADObject -LDAPFilter "(&(objectcategory=*)(systemflags:1.2.840.113556.1.4.803:=2147483648))"

Here's some output. Notice we have high privilege groups like 'Account Operators' and 'Backup Operators' included. We also have the well-known GUIDs of the Group Policy containers containing the Default Domain Policy and the Default Domain Controllers Policy (top two entries).

 

The command can be executed against each naming context.

Get-ADObject -LDAPFilter "(&(objectcategory=*)(systemflags:1.2.840.113556.1.4.803:=2147483648))" -SearchBase "CN=Configuration,DC=fabrikam,DC=com"

And, so on...

Get-ADObject -LDAPFilter "(&(objectcategory=*)(systemflags:1.2.840.113556.1.4.803:=2147483648))" -SearchBase "CN=ForestDNSZones,DC=fabrikam,DC=com"

Get-ADObject -LDAPFilter "(&(objectcategory=*)(systemflags:1.2.840.113556.1.4.803:=2147483648))" -SearchBase "CN=DomainDNSZones,DC=fabrikam,DC=com"

 

Short and sweet this week!

Comments

  • Anonymous
    November 01, 2014
    Thanks