PowerShell, LDIFDE, CSVDE and Protection from Accidental Deletion

When you build test environments regularly, at some point you'll want to fill your Active Directory quickly. If, for instance, you have a data set with Organizational Units (OUs), user accounts and groups, you'll want to quickly import this data. If, on the other hand, in your business you're allowed to use the user information from a production Active Directory environment in your test environment, you might even opt to export and import this information.

Besides restoring backups from Domain Controllers to the test environment, Microsoft offers three tools to import exported data:

    - Import-CSV & New-ADOrganizationalUnit
    - Csvde.exe
    - Ldifde.exe

From the surface, these three tools seem to enable you to achieve the same goal, but they don't. The end result after importing and exporting data is not the same between these three tools.

When you use the New-ADOrganizationalUnit PowerShell Cmdlet (together with the Import-CSV Cmdlet in this case) in a script, unless you specify otherwise, the created Organizational Units will be protected from accidental deletion.

When you use ldifde.exe or csvde.exe tool to (export and) import Organizational Units (OUs), these OUs will be created without protection from accidental deletion.

Protection from accidental deletion looks like a simple checkmark in the properties of an Active Directory object, but it's not. Underlying is a set of ACLs that prevent anyone from deleting the object. But since PowerShell has the logic inside for Protection from accidental deletion, to fix the newly created Organizational Units, use the following PowerShell one-liner:

• Get-ADOrganizationalUnit -filter {name -like "*"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true