PowerShell, LDIFDE, CSVDE and Protection from Accidental Deletion

Reading Time: 2 minutes

Import Data into Active DirectoryWhen you build test environments regularly, at some point you’ll want to fill your Active Directory quickly. If, for instance, you have a data set with Organizational Units (OUs), user accounts and groups, you’ll want to quickly import this data. If, on the other hand, in your business you’re allowed to use the user information from a production Active Directory environment in your test environment, you might even opt to export and import this information.

Besides restoring backups from Domain Controllers to the test environment, Microsoft offers three tools to import exported data:

  • Import-CSV & New-ADOrganizationalUnit
  • Csvde.exe
  • Ldifde.exe

From the surface, these three tools seem to enable you to achieve the same goal, but they don’t. The end result after importing and exporting data is not the same between these three tools.

When you use the New-ADOrganizationalUnit PowerShell Cmdlet (together with the Import-CSV Cmdlet in this case) in a script, unless you specify otherwise, the created Organizational Units will be protected from accidental deletion.

When you use ldifde.exe or csvde.exe tool to (export and) import Organizational Units (OUs), these OUs will be created without protection from accidental deletion.

The Active Directory Best Practices Analyzer will display a warning when not all Organizational Units (OUs) are protected from accidental deletion.
More info

Protection from accidental deletion looks like a simple checkmark in the properties of an Active Directory object, but it’s not. Underlying is a set of ACLs that prevent anyone from deleting the object. But since PowerShell has the logic inside for Protection from accidental deletion, to fix the newly created Organizational Units, use the following PowerShell one-liner:

Get-ADOrganizationalUnit -filter {name -like "*"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true



With new functionality in new Operating Systems and Active Directory levels, don’t expect the old tooling you’ve learned to trust and love, to be updated.

Related Posts

Preventing OUs and Containers from Accidental Deletion

Further reading

Protect an Organizational Unit from Accidental Deletion
All OUs in this domain should be protected from accidental deletion
Protect Objects from accidential deletion
Protecting OU from accidental deletion
Protection from Accidental Deletion
Windows Server 2008 Protection from Accidental Deletion

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.