Secure Active Directory Objects in Windows Server 2008/R2 ADUC
It's true that by using a proper backup procedure it is possible to restore these objects. It's also true that you can use manual restore procedures such as the one in my Recovering Deleted Items in Active Directory article. However, I'm sure you'll gladly agree that it's best not to put yourself in that position in the first place.
Luckily for us, in Windows Server 2008 and Windows Server 2008 R2, Microsoft has introduced a new option designed to protect Active Directory objects from being accidentally deleted. The option to protect objects from accidental deletion is available for all objects that are manageable through Active Directory Users and Computers (ADUC), and is enabled by default when you create a new OU.
Let's see an example. I will create an OU and select the "Protect container from accidental deletion":
Next, I will attempt to delete the object:
As you can see, I failed to delete the object and received the following error message:
So how does this work?
By selecting the Protect container from accidental deletion option, an Access Control Entry (ACE) is added to the Access Control List (ACL) on the object, protecting it from accidental deletion. In order to view the ACL for the protected object, we need to change the view in ADUC so that it shows the Advanced Features.
Look at the object's security tab:
Click on the Advanced button, then select the entry for "Everyone" and click "Edit":
The ACE that is added is a "Deny" entry for the Everyone group, and it denies the Delete and Delete Subtree permissions on ACL of the object.
Important: Please note that by default, the accidental deletion protection is enabled by default ONLY for Organization Units (OUs), and NOT for user objects. This means that if you attempt to delete one or more user objects, even if you're located inside a protected OU, you will succeed:
In order to protect user, group or computer objects from accidental deletion, you must MANUALLY enable this option in the object's properties. Change the view in ADUC so that it shows the Advanced Features, open the object's properties window, and click on the"Object" tab. There you can select the accidental deletion protection option.
When selected, if you attempt to delete the object, you'll get this message:
In order to delete the object, you must first disable the accidental deletion protection by deselecting the "Protect object from accidental deletion" option. This is done on the Object tab of the object in ADUC. If not enabled, change the view in ADUC so that it shows the Advanced Features, open the object's properties window, and click on the "Object" tab.
By deselecting this option, you are removing the previously mentioned Deny ACE from the ACL of the object, and by doing so you allow the deletion of the object.