One of the major headaches when dealing with Active Directory is the issues of accidental deletion of objects by un-trained or malicious people. Of course one must have the right permissions in Active Directory in order to be able to delete any object from it, but this does happen now and then. For example, you might want to perform a deletion of one object but instead select another one, and without giving it a second thought, pressing delete. You might delete an entire organizational unit (OU) with all the nested objects in it, and not pay attention to the two warning windows that ask you if you’re sure you want to perform that task.
Another problem might be caused by accidentally moving an OU with all its nested objects to another OU, just by pressing the mouse button and moving the mouse for less than a centimeter (this is most common with laptops being used as management stations, with their tiny mouse pads, making the mouse movement for a long distance a bit more challenging than a regular mouse).
Thing is, I had to recover more than a few Active Directory objects or OUs over the past years, and every time it was because of a accidental deletion. I looked for a way to help me protect objects and OUs in Active Directory, even if it was not bullet proof, it could at least give me another means to control what my administrators were doing.
Remember, being an administrator, and more so a member of the Domain Admins, Enterprise Admins or Schema Admins groups is considered a trusted position. If you don’t trust the person doing the job, don’t give him or her the job. The method outlined here will not stop a malicious or a specially gifted and lame administrator from causing harm. It will stop YOU or them from accidentally performing a delete operation, but it can be easily bypassed by an administrator with the right permissions.
Note: This article is specially written for Windows Server 2003-based Active Directory and domain Controllers. In Windows Server 2008 a new GUI option was added. You can read more about it on the Windows Server 2008 section.
In order to protect these objects from accidental deletion you need to dive in the permissions for the specific object or organizational unit (OU) in Active Directory. You can use this procedure to add the following access control entries (ACEs):
This protects an OU from accidental deletion. When a user tries to delete the protected object, the operation returns an error that indicates access is denied.
Note: In case you need to restore a deleted object I suggest you read my “How to Restore Windows Server 2003 Active Directory” and “Recovering Deleted Items in Active Directory” articles.
To protect an OU from accidental bulk deletion follow these steps:
Note: The Security tab is not displayed by default. To see it you need to close the property sheet, and in the ADUC View menu, select Advanced Features.
Now, try to delete the OU. You’ll get an Access Denied prompt.
Warning: Try the deletion action at your own risk, don’t come crying to me if you accidentally deleted your entire company’s users. This tip works, it worked for me, it works for everyone, but I cannot guarantee that you followed my instructions precisely.
Another warning: If you do try to see if it works for you or not, do it on a test OU that you’ve created for this purpose first. Also, make sure you have a good backup of your Active Directory. Read my How to Backup Windows Server 2003 Active Directory” article for more info.
To remove the protection, remove the Deny ACEs that you added for the Everyone group.
If you want to use DSACLS to protect an OU you can use the following command:
dsacls "ou=Company Users,dc=mydomain,dc=com" /d Everyone:SDDT
If you want to protect your entire OU structure you could use the following command:
for /f "tokens=*" %i in ('dsquery ou -limit 0') do dsacls %i /d Everyone:SDDT
Note: This command will process EVERY organizational unit in the Active Directory domain. If you just want to protect certain levels, you need to change the dsquery command.