Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

How to Delete a Protected OU in Active Directory

As your organization’s logical layout changes, you may need to delete OUs in Active Directory (AD) from your domain controllers. In this post, we’ll show you two different ways to delete protected OUs (Organizational Units) and what minor roadblocks you may come across while doing so.

Why you cannot delete protected OU in Active Directory

There are two main situations where the deletion of an organizational unit in just one step isn’t possible.

Protection from accidental deletion is enabled

When you try to delete an OU in Active Directory Users and Computers (ADUC), you may run into the following error message telling you that you don’t have sufficient privileges to delete Domain Windows Computers, or that the object is protected from accidental deletion. I’ll explain how to circumvent this limitation later.

You are unable an organizational unit if the accidental deletion flag is enabled — You are unable to delete an OU/container if the flag is enabled

An OU is referred to as a ‘default’ OU

The second situation that may prevent you from deleting an OU/ is when you’re trying to delete is what’s referred to as a ‘default’ OU. These are OUs that were either installed as default when Active Directory Domain Services (AD DS) was installed and configured (Computers, Users), or were modified to carry the ‘default’ attribute post-installation.

The Delete option is hidden for specific OUs that are designated to NOT be removed — The ‘Delete’ option is hidden for specific OUs/containers that are designated to NOT be removed

You should also make sure that you’re seeing ‘all’ the objects in your directory – Click View in ADUC and make sure Advanced Features is checked.

Delete a protected OU in Active Directory in 3 easy steps

The process to delete a protected OU in Active Directory is straightforward. Here are the steps you need to follow.

Open Active Directory Users and Computers, right-click on the OU you wish to delete and click Properties.
Click the Object tab and clear the ‘Protect object from accidental deletion,’ then click OK.

We can get rid of the organizational unit after clearing the 'Protect object from accidental deletion' flag — We’re on the way to being able to delete our OU after clearing the ‘Protect object from accidental deletion’ flag

Right-click on the OU, click Delete, and click Yes. Voila! The protected OU is no more.

Delete a protected OU in Active Directory using PowerShell

I’m always looking for ways to boost my efficiency as an IT Pro, especially with PowerShell. We previously covered how to move and delete Active Directory OUs with PowerShell on Petri, but let me show you how to use PowerShell to remove a protected OUs in one fell swoop.

For this example, we’ll be removing our protected ‘Member Computers’ OU with three PowerShell commands:

The first cmdlet we’ll use, Get-ADOrganizationlUnit, identifies the specific OU and holds it in memory, so to speak.
The second cmdlet, Set-ADObject, removes the flag for ‘Protect object from accidental deletion.’
The final cmdlet, Remove-ADOrganizationalUnit, deletes the OU and suppresses any confirmation prompts. Incidentally, the ‘-PassThru‘ switch tells the final cmdlet to reference the object already specified (our OU).

Get-ADOrganizationalUnit -identity "OU=Member Computers,DC=Reinders,DC=local" | Set-ADObject -ProtectedFromAccidentalDeletion:$false -PassThru | Remove-ADOrganizationalUnit -Confirm:$false

We use 3 PowerShell commands to delete the 'Member Computers' OU. — PowerShell cmdlets to remove the ‘Member Computers’ OU

After the command is run and we’ve made a refresh in ADUC, the ‘Member Computers’ OU is history!

We've now deleted the 'Member Computers' OU with our PowerShell commands — The ‘Member Computers’ OU is now gone

Summary

We’ve just explained a few scenarios many IT pros can run into on a daily basis when trying to remove OUs from Active Directory. We’ve described the two most prevalent reasons you may run into when trying to delete protected OUs, and we described two different methods you can use to get the job done.

Please let me know if you have any questions or comments by leaving one below. Thank you for reading!

Table of contents

by Michael Reinders
Jun 8, 2022

Michael has been an 'IT Pro' since 1998. He has worked predominantly in the Windows world including client and server operating systems, on-prem systems engineering (AD, DNS, etc.), and over the last ten years or so has embraced and immersed himself ...

Petri.com’s New Active Directory Outage and Disaster Recovery Survey

Feb 15, 2024
Apr 16, 2024
Essential Guide to Mastering Get-ADGroupMember (AD User Management)

Oct 12, 2023
Get-ADComputer: The PowerShell Command for Managing Active Directory Computers

Nov 15, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.