diff --git a/Examples/DeleteComputersWithMoveAndEmail.ps1 b/Examples/DeleteComputersWithMoveAndEmail.ps1 index 0d24258..b623446 100644 --- a/Examples/DeleteComputersWithMoveAndEmail.ps1 +++ b/Examples/DeleteComputersWithMoveAndEmail.ps1 @@ -75,7 +75,7 @@ $invokeADComputersCleanupSplat = @{ WhatIfMove = $true WhatIfDelete = $true ShowHTML = $true - + RemoveProtectedFromAccidentalDeletionFlag = $true DontWriteToEventLog = $true } diff --git a/Private/Disable-WinADComputer.ps1 b/Private/Disable-WinADComputer.ps1 index 09f5d87..ca2ed70 100644 --- a/Private/Disable-WinADComputer.ps1 +++ b/Private/Disable-WinADComputer.ps1 @@ -5,10 +5,29 @@ [switch] $WhatIfDisable, [switch] $DontWriteToEventLog, [PSCustomObject] $Computer, - [string] $Server + [string] $Server, + [switch] $RemoveProtectedFromAccidentalDeletionFlag ) if ($Success) { - if ($Computer.Enabled -eq $true) { + if ($RemoveProtectedFromAccidentalDeletionFlag -and $Computer.ProtectedFromAccidentalDeletion) { + try { + Write-Color -Text "[i] Removing protected from accidental deletion flag for computer ", $Computer.DistinguishedName, ' DN: ', $Computer.DistinguishedName, ' Enabled: ', $Computer.Enabled, ' Operating System: ', $Computer.OperatingSystem, ' LastLogon: ', $Computer.LastLogonDate, " / " , $Computer.LastLogonDays , ' days, PasswordLastSet: ', $Computer.PasswordLastSet, " / ", $Computer.PasswordLastChangedDays, " days" -Color Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green + Set-ADObject -ProtectedFromAccidentalDeletion $false -Identity $Computer.DistinguishedName -Server $Server -ErrorAction Stop -Confirm:$false -WhatIf:$WhatIfDisable + if (-not $DontWriteToEventLog) { + Write-Event -ID 15 -LogName 'Application' -EntryType Warning -Category 1000 -Source 'CleanupComputers' -Message "Removing protected from accidental deletion flag for computer $($Computer.SamAccountName) successful." -AdditionalFields @('RemoveProtection', $Computer.SamAccountName, $Computer.DistinguishedName, $Computer.Enabled, $Computer.OperatingSystem, $Computer.LastLogonDate, $Computer.PasswordLastSet, $WhatIfDisable) -WarningAction SilentlyContinue -WarningVariable warnings + } + } catch { + $Success = $false + Write-Color -Text "[-] Removing protected from accidental deletion flag for computer ", $Computer.DistinguishedName, " (WhatIf: $($WhatIfDisable.IsPresent)) failed. Error: $($_.Exception.Message)" -Color Yellow, Red, Yellow + if (-not $DontWriteToEventLog) { + Write-Event -ID 15 -LogName 'Application' -EntryType Error -Category 1000 -Source 'CleanupComputers' -Message "Removing protected from accidental deletion flag for computer $($Computer.SamAccountName) failed." -AdditionalFields @('RemoveProtection', $Computer.SamAccountName, $Computer.DistinguishedName, $Computer.Enabled, $Computer.OperatingSystem, $Computer.LastLogonDate, $Computer.PasswordLastSet, $WhatIfDisable, $($_.Exception.Message)) -WarningAction SilentlyContinue -WarningVariable warnings + } + foreach ($W in $Warnings) { + Write-Color -Text "[-] ", "Warning: ", $W -Color Yellow, Cyan, Red + } + } + } + if ($Success -and $Computer.Enabled -eq $true) { Write-Color -Text "[i] Disabling computer ", $Computer.SamAccountName, ' DN: ', $Computer.DistinguishedName, ' Enabled: ', $Computer.Enabled, ' Operating System: ', $Computer.OperatingSystem, ' LastLogon: ', $Computer.LastLogonDate, " / " , $Computer.LastLogonDays , ' days, PasswordLastSet: ', $Computer.PasswordLastSet, " / ", $Computer.PasswordLastChangedDays, " days" -Color Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green try { if ($Computer.DistinguishedNameAfterMove) { diff --git a/Private/Request-ADComputersDisable.ps1 b/Private/Request-ADComputersDisable.ps1 index 70b261e..99b3d42 100644 --- a/Private/Request-ADComputersDisable.ps1 +++ b/Private/Request-ADComputersDisable.ps1 @@ -49,11 +49,11 @@ } else { $Success = $true if ($DisableAndMoveOrder -eq 'DisableAndMove') { - $Success = Disable-WinADComputer -Success $Success -WhatIfDisable:$WhatIfDisable -DontWriteToEventLog:$DontWriteToEventLog -Computer $Computer -Server $Server + $Success = Disable-WinADComputer -Success $Success -WhatIfDisable:$WhatIfDisable -DontWriteToEventLog:$DontWriteToEventLog -Computer $Computer -Server $Server -RemoveProtectedFromAccidentalDeletionFlag:$RemoveProtectedFromAccidentalDeletionFlag.IsPresent $Success = Move-WinADComputer -Success $Success -DisableAndMove $DisableAndMove -OrganizationalUnit $OrganizationalUnit -Computer $Computer -WhatIfDisable:$WhatIfDisable -DontWriteToEventLog:$DontWriteToEventLog -Server $Server -RemoveProtectedFromAccidentalDeletionFlag:$RemoveProtectedFromAccidentalDeletionFlag.IsPresent } else { $Success = Move-WinADComputer -Success $Success -DisableAndMove $DisableAndMove -OrganizationalUnit $OrganizationalUnit -Computer $Computer -WhatIfDisable:$WhatIfDisable -DontWriteToEventLog:$DontWriteToEventLog -Server $Server -RemoveProtectedFromAccidentalDeletionFlag:$RemoveProtectedFromAccidentalDeletionFlag.IsPresent - $Success = Disable-WinADComputer -Success $Success -WhatIfDisable:$WhatIfDisable -DontWriteToEventLog:$DontWriteToEventLog -Computer $Computer -Server $Server + $Success = Disable-WinADComputer -Success $Success -WhatIfDisable:$WhatIfDisable -DontWriteToEventLog:$DontWriteToEventLog -Computer $Computer -Server $Server -RemoveProtectedFromAccidentalDeletionFlag:$RemoveProtectedFromAccidentalDeletionFlag.IsPresent } if ($Success) { if ($DisableModifyDescription -eq $true) { diff --git a/Public/Invoke-ADComputersCleanup.ps1 b/Public/Invoke-ADComputersCleanup.ps1 index 0303d48..87b2714 100644 --- a/Public/Invoke-ADComputersCleanup.ps1 +++ b/Public/Invoke-ADComputersCleanup.ps1 @@ -394,7 +394,7 @@ This feature is only nessecary if you have specific requirments per domain/forest rather than using the automatic detection. .PARAMETER RemoveProtectedFromAccidentalDeletionFlag - Remove the ProtectedFromAccidentalDeletion flag from the computer object before deleting it. + Remove the ProtectedFromAccidentalDeletion flag from the computer object before disabling, moving, or deleting it. By default it will not remove the flag, and require it to be removed manually. .PARAMETER ADQueryMaxRetries diff --git a/Tests/Disable-WinADComputer.Tests.ps1 b/Tests/Disable-WinADComputer.Tests.ps1 new file mode 100644 index 0000000..f6f4b0d --- /dev/null +++ b/Tests/Disable-WinADComputer.Tests.ps1 @@ -0,0 +1,28 @@ +Describe 'Disable-WinADComputer' { + BeforeAll { + . "$PSScriptRoot/../Private/Disable-WinADComputer.ps1" + } + + It 'removes ProtectedFromAccidentalDeletion when requested' { + $computer = [pscustomobject]@{ + SamAccountName = 'TEST$' + DistinguishedName = 'CN=Test,CN=Computers,DC=example,DC=com' + Enabled = $true + OperatingSystem = 'Windows' + LastLogonDate = Get-Date + LastLogonDays = 0 + PasswordLastSet = Get-Date + PasswordLastChangedDays = 0 + ProtectedFromAccidentalDeletion = $true + } + $global:FlagRemoved = $false + function Set-ADObject { param([Parameter(ValueFromRemainingArguments)][object[]]$Args) $global:FlagRemoved = $true } + function Disable-ADAccount { param([Parameter(ValueFromRemainingArguments)][object[]]$Args) } + function Write-Color { param([Parameter(ValueFromRemainingArguments)][object[]]$Args) } + function Write-Event { param([Parameter(ValueFromRemainingArguments)][object[]]$Args) } + + Disable-WinADComputer -Success $true -Computer $computer -Server 'server' -WhatIfDisable:$false -DontWriteToEventLog -RemoveProtectedFromAccidentalDeletionFlag + $global:FlagRemoved | Should -Be $true + } +} +