feat: remove protection flag before disabling computers

Examples/DeleteComputersWithMoveAndEmail.ps1

@@ -75,7 +75,7 @@ $invokeADComputersCleanupSplat = @{
     WhatIfMove                          = $true
     WhatIfDelete                        = $true
     ShowHTML                            = $true
-
+    RemoveProtectedFromAccidentalDeletionFlag = $true
     DontWriteToEventLog                 = $true
 }
 

Private/Disable-WinADComputer.ps1

@@ -5,10 +5,29 @@
         [switch] $WhatIfDisable,
         [switch] $DontWriteToEventLog,
         [PSCustomObject] $Computer,
-        [string] $Server
+        [string] $Server,
+        [switch] $RemoveProtectedFromAccidentalDeletionFlag
     )
     if ($Success) {
-        if ($Computer.Enabled -eq $true) {
+        if ($RemoveProtectedFromAccidentalDeletionFlag -and $Computer.ProtectedFromAccidentalDeletion) {
+            try {
+                Write-Color -Text "[i] Removing protected from accidental deletion flag for computer ", $Computer.DistinguishedName, ' DN: ', $Computer.DistinguishedName, ' Enabled: ', $Computer.Enabled, ' Operating System: ', $Computer.OperatingSystem, ' LastLogon: ', $Computer.LastLogonDate, " / " , $Computer.LastLogonDays , ' days, PasswordLastSet: ', $Computer.PasswordLastSet, " / ", $Computer.PasswordLastChangedDays, " days" -Color Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green
+                Set-ADObject -ProtectedFromAccidentalDeletion $false -Identity $Computer.DistinguishedName -Server $Server -ErrorAction Stop -Confirm:$false -WhatIf:$WhatIfDisable
+                if (-not $DontWriteToEventLog) {
+                    Write-Event -ID 15 -LogName 'Application' -EntryType Warning -Category 1000 -Source 'CleanupComputers' -Message "Removing protected from accidental deletion flag for computer $($Computer.SamAccountName) successful." -AdditionalFields @('RemoveProtection', $Computer.SamAccountName, $Computer.DistinguishedName, $Computer.Enabled, $Computer.OperatingSystem, $Computer.LastLogonDate, $Computer.PasswordLastSet, $WhatIfDisable) -WarningAction SilentlyContinue -WarningVariable warnings
+                }
+            } catch {
+                $Success = $false
+                Write-Color -Text "[-] Removing protected from accidental deletion flag for computer ", $Computer.DistinguishedName, " (WhatIf: $($WhatIfDisable.IsPresent)) failed. Error: $($_.Exception.Message)" -Color Yellow, Red, Yellow
+                if (-not $DontWriteToEventLog) {
+                    Write-Event -ID 15 -LogName 'Application' -EntryType Error -Category 1000 -Source 'CleanupComputers' -Message "Removing protected from accidental deletion flag for computer $($Computer.SamAccountName) failed." -AdditionalFields @('RemoveProtection', $Computer.SamAccountName, $Computer.DistinguishedName, $Computer.Enabled, $Computer.OperatingSystem, $Computer.LastLogonDate, $Computer.PasswordLastSet, $WhatIfDisable, $($_.Exception.Message)) -WarningAction SilentlyContinue -WarningVariable warnings
+                }
+                foreach ($W in $Warnings) {
+                    Write-Color -Text "[-] ", "Warning: ", $W -Color Yellow, Cyan, Red
+                }
+            }
+        }
+        if ($Success -and $Computer.Enabled -eq $true) {
             Write-Color -Text "[i] Disabling computer ", $Computer.SamAccountName, ' DN: ', $Computer.DistinguishedName, ' Enabled: ', $Computer.Enabled, ' Operating System: ', $Computer.OperatingSystem, ' LastLogon: ', $Computer.LastLogonDate, " / " , $Computer.LastLogonDays , ' days, PasswordLastSet: ', $Computer.PasswordLastSet, " / ", $Computer.PasswordLastChangedDays, " days" -Color Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green, Yellow, Green
             try {
                 if ($Computer.DistinguishedNameAfterMove) {

Private/Request-ADComputersDisable.ps1

@@ -49,11 +49,11 @@
             } else {
                 $Success = $true
                 if ($DisableAndMoveOrder -eq 'DisableAndMove') {
-                    $Success = Disable-WinADComputer -Success $Success -WhatIfDisable:$WhatIfDisable -DontWriteToEventLog:$DontWriteToEventLog -Computer $Computer -Server $Server
+                    $Success = Disable-WinADComputer -Success $Success -WhatIfDisable:$WhatIfDisable -DontWriteToEventLog:$DontWriteToEventLog -Computer $Computer -Server $Server -RemoveProtectedFromAccidentalDeletionFlag:$RemoveProtectedFromAccidentalDeletionFlag.IsPresent
                     $Success = Move-WinADComputer -Success $Success -DisableAndMove $DisableAndMove -OrganizationalUnit $OrganizationalUnit -Computer $Computer -WhatIfDisable:$WhatIfDisable -DontWriteToEventLog:$DontWriteToEventLog -Server $Server -RemoveProtectedFromAccidentalDeletionFlag:$RemoveProtectedFromAccidentalDeletionFlag.IsPresent
                 } else {
                     $Success = Move-WinADComputer -Success $Success -DisableAndMove $DisableAndMove -OrganizationalUnit $OrganizationalUnit -Computer $Computer -WhatIfDisable:$WhatIfDisable -DontWriteToEventLog:$DontWriteToEventLog -Server $Server -RemoveProtectedFromAccidentalDeletionFlag:$RemoveProtectedFromAccidentalDeletionFlag.IsPresent
-                    $Success = Disable-WinADComputer -Success $Success -WhatIfDisable:$WhatIfDisable -DontWriteToEventLog:$DontWriteToEventLog -Computer $Computer -Server $Server
+                    $Success = Disable-WinADComputer -Success $Success -WhatIfDisable:$WhatIfDisable -DontWriteToEventLog:$DontWriteToEventLog -Computer $Computer -Server $Server -RemoveProtectedFromAccidentalDeletionFlag:$RemoveProtectedFromAccidentalDeletionFlag.IsPresent
                 }
                 if ($Success) {
                     if ($DisableModifyDescription -eq $true) {

Public/Invoke-ADComputersCleanup.ps1

@@ -394,7 +394,7 @@
     This feature is only nessecary if you have specific requirments per domain/forest rather than using the automatic detection.
 
     .PARAMETER RemoveProtectedFromAccidentalDeletionFlag
-    Remove the ProtectedFromAccidentalDeletion flag from the computer object before deleting it.
+    Remove the ProtectedFromAccidentalDeletion flag from the computer object before disabling, moving, or deleting it.
     By default it will not remove the flag, and require it to be removed manually.
 
     .PARAMETER ADQueryMaxRetries

Tests/Disable-WinADComputer.Tests.ps1

@@ -0,0 +1,28 @@
+Describe 'Disable-WinADComputer' {
+    BeforeAll {
+        . "$PSScriptRoot/../Private/Disable-WinADComputer.ps1"
+    }
+
+    It 'removes ProtectedFromAccidentalDeletion when requested' {
+        $computer = [pscustomobject]@{
+            SamAccountName                   = 'TEST$'
+            DistinguishedName                = 'CN=Test,CN=Computers,DC=example,DC=com'
+            Enabled                          = $true
+            OperatingSystem                  = 'Windows'
+            LastLogonDate                    = Get-Date
+            LastLogonDays                    = 0
+            PasswordLastSet                  = Get-Date
+            PasswordLastChangedDays          = 0
+            ProtectedFromAccidentalDeletion  = $true
+        }
+        $global:FlagRemoved = $false
+        function Set-ADObject { param([Parameter(ValueFromRemainingArguments)][object[]]$Args) $global:FlagRemoved = $true }
+        function Disable-ADAccount { param([Parameter(ValueFromRemainingArguments)][object[]]$Args) }
+        function Write-Color { param([Parameter(ValueFromRemainingArguments)][object[]]$Args) }
+        function Write-Event { param([Parameter(ValueFromRemainingArguments)][object[]]$Args) }
+
+        Disable-WinADComputer -Success $true -Computer $computer -Server 'server' -WhatIfDisable:$false -DontWriteToEventLog -RemoveProtectedFromAccidentalDeletionFlag
+        $global:FlagRemoved | Should -Be $true
+    }
+}
+