ehmiiz/Add-ADProtectionFromAccedentialDeletion.ps1

## Add-ADProtectionFromAccedentialDeletion.ps1
function Add-ADProtectionFromAccedentialDeletion {
<#
.NOTES
    In Active Directory, there's a nice feature called "Protected from Accidental
    Deletion" (PAD).
    This feature is limited to some GUIs and cmdlets of AD.
    PAD is simple, it denies "Delete" & "Delete Tree" for "Everyone".
    This function does the same.
.EXAMPLE
    $MyImportantDNSZone = Get-DNSServerZone -Name 'Zone.org' | Select-Object -ExpandProperty DistinguishedName
    Add-ADProtectionFromAccedentialDeletion -TargetDN $MyImportantDNSZone

#>
    param (
        [Parameter(Mandatory = $true)]
        [string]$TargetDN
    )

    Add-Type -AssemblyName System.DirectoryServices

    try {
        $adObject = [ADSI]"LDAP://$TargetDN"
        $everyoneSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-1-0")
        $rights = [System.DirectoryServices.ActiveDirectoryRights]::Delete -bor [System.DirectoryServices.ActiveDirectoryRights]::DeleteTree

        $accessRule = [System.DirectoryServices.ActiveDirectoryAccessRule]::new(
            $everyoneSID, # SID of Everyone
            $rights, # Deny Delete and Delete Tree rights
            [System.Security.AccessControl.AccessControlType]::Deny, # Deny access
            [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None,  # No inheritance
            [guid]::Empty
        )

        # Get the current security descriptor (ACL) for the object
        $acl = $adObject.ObjectSecurity

        # Add the new ACE (Deny Delete and Delete Tree to Everyone) to the ACL
        $acl.AddAccessRule($accessRule)

        # Commit the updated ACL back to the AD object
        $adObject.ObjectSecurity = $acl
        $adObject.CommitChanges()

        Write-Output "Successfully set 'Deny' for Delete and Delete Tree for Everyone on $TargetDN with no inheritance."
    } catch {
        Write-Error "Failed to set 'Deny' ACE: $_"
    }
}
	function Add-ADProtectionFromAccedentialDeletion {
	<#
	.NOTES
	In Active Directory, there's a nice feature called "Protected from Accidental
	Deletion" (PAD).
	This feature is limited to some GUIs and cmdlets of AD.
	PAD is simple, it denies "Delete" & "Delete Tree" for "Everyone".
	This function does the same.
	.EXAMPLE
	$MyImportantDNSZone = Get-DNSServerZone -Name 'Zone.org' \| Select-Object -ExpandProperty DistinguishedName
	Add-ADProtectionFromAccedentialDeletion -TargetDN $MyImportantDNSZone

	#>
	param (
	[Parameter(Mandatory = $true)]
	[string]$TargetDN
	)

	Add-Type -AssemblyName System.DirectoryServices

	try {
	$adObject = [ADSI]"LDAP://$TargetDN"
	$everyoneSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-1-0")
	$rights = [System.DirectoryServices.ActiveDirectoryRights]::Delete -bor [System.DirectoryServices.ActiveDirectoryRights]::DeleteTree

	$accessRule = [System.DirectoryServices.ActiveDirectoryAccessRule]::new(
	$everyoneSID, # SID of Everyone
	$rights, # Deny Delete and Delete Tree rights
	[System.Security.AccessControl.AccessControlType]::Deny, # Deny access
	[System.DirectoryServices.ActiveDirectorySecurityInheritance]::None, # No inheritance
	[guid]::Empty
	)

	# Get the current security descriptor (ACL) for the object
	$acl = $adObject.ObjectSecurity

	# Add the new ACE (Deny Delete and Delete Tree to Everyone) to the ACL
	$acl.AddAccessRule($accessRule)

	# Commit the updated ACL back to the AD object
	$adObject.ObjectSecurity = $acl
	$adObject.CommitChanges()

	Write-Output "Successfully set 'Deny' for Delete and Delete Tree for Everyone on $TargetDN with no inheritance."
	} catch {
	Write-Error "Failed to set 'Deny' ACE: $_"
	}
	}