Skip to main content

Secure Active Directory Objects in Windows Server 2008/R2 ADUC

It's true that by using a proper backup procedure it is possible to restore these objects. It's also true that you can use manual restore procedures such as the one in my Recovering Deleted Items in Active Directory article. However, I'm sure you'll gladly agree that it's best not to put yourself in that position in the first place.
Luckily for us, in Windows Server 2008 and Windows Server 2008 R2, Microsoft has introduced a new option designed to protect Active Directory objects from being accidentally deleted. The option to protect objects from accidental deletion is available for all objects that are manageable through Active Directory Users and Computers (ADUC), and is enabled by default when you create a new OU.
Let's see an example. I will create an OU and select the "Protect container from accidental deletion":
ADUC: Protect container when creating new OU
Next, I will attempt to delete the object:
ADUC: OU protected from accidental deletion
ADUC: OU protected from accidental deletion
As you can see, I failed to delete the object and received the following error message:
ADUC: OU protected from accidental deletion
So how does this work?
By selecting the Protect container from accidental deletion option, an Access Control Entry (ACE) is added to the Access Control List (ACL) on the object, protecting it from accidental deletion. In order to view the ACL for the protected object, we need to change the view in ADUC so that it shows the Advanced Features.
Select "Advanced Features" to view Access Control Entry the protected object
Look at the object's security tab:
View Access Control Entry (ACE) for the protected object
Click on the Advanced button, then select the entry for "Everyone" and click "Edit":
Advanced security settings for new OU
The ACE that is added is a "Deny" entry for the Everyone group, and it denies the Delete and Delete Subtree permissions on ACL of the object.
Important: Please note that by default, the accidental deletion protection is enabled by default ONLY for Organization Units (OUs), and NOT for user objects. This means that if you attempt to delete one or more user objects, even if you're located inside a protected OU, you will succeed:
Default deletion protection only affects OUs, NOT user objects
Default deletion protection only affects OUs, NOT user objects
Default deletion protection only affects OUs, NOT user objects
In order to protect user, group or computer objects from accidental deletion, you must MANUALLY enable this option in the object's properties. Change the view in ADUC so that it shows the Advanced Features, open the object's properties window, and click on the"Object" tab. There you can select the accidental deletion protection option.
Manually enable deletion protection on user, group or computer objects
When selected, if you attempt to delete the object, you'll get this message:
Object is protected from accidental deletion
In order to delete the object, you must first disable the accidental deletion protection by deselecting the "Protect object from accidental deletion" option. This is done on the Object tab of the object in ADUC. If not enabled, change the view in ADUC so that it shows the Advanced Features, open the object's properties window, and click on the "Object" tab.
Disable accidental deletion protection
Disable accidental deletion protection
By deselecting this option, you are removing the previously mentioned Deny ACE from the ACL of the object, and by doing so you allow the deletion of the object.

Popular posts from this blog


The BCD registry file controls which operating system installation starts and how long the boot manager waits before starting Windows. Basically, it’s like the Boot.ini file in earlier versions of Windows. If you need to edit it, the easiest way is to use the Startup And Recovery tool from within Vista. Just follow these steps: 1. Click Start. Right-click Computer, and then click Properties. 2. Click Advanced System Settings. 3. On the Advanced tab, under Startup and Recovery, click Settings. 4. Click the Default Operating System list, and edit other startup settings. Then, click OK. Same as Windows XP, right? But you’re probably not here because you couldn’t find that dialog box. You’re probably here because Windows Vista won’t start. In that case, you shouldn’t even worry about editing the BCD. Just run Startup Repair, and let the tool do what it’s supposed to. If you’re an advanced user, like an IT guy, you might want to edit the BCD file yourself. You can do this

DNS Scavenging.

                        DNS Scavenging is a great answer to a problem that has been nagging everyone since RFC 2136 came out way back in 1997.  Despite many clever methods of ensuring that clients and DHCP servers that perform dynamic updates clean up after themselves sometimes DNS can get messy.  Remember that old test server that you built two years ago that caught fire before it could be used?  Probably not.  DNS still remembers it though.  There are two big issues with DNS scavenging that seem to come up a lot: "I'm hitting this 'scavenge now' button like a snare drum and nothing is happening.  Why?" or "I woke up this morning, my DNS zones are nearly empty and Active Directory is sitting in a corner rocking back and forth crying.  What happened?" This post should help us figure out when the first issue will happen and completely avoid the second.  We'll go through how scavenging is setup then I'll give you my best practices.  Scavenging s

AD LDS – Syncronizing AD LDS with Active Directory

First, we will install the AD LDS Instance: 1. Create and AD LDS instance by clicking Start -> Administrative Tools -> Active Directory Lightweight Directory Services Setup Wizard. The Setup Wizard appears. 2. Click Next . The Setup Options dialog box appears. For the sake of this guide, a unique instance will be the primary focus. I will have a separate post regarding AD LDS replication at some point in the near future. 3. Select A unique instance . 4. Click Next and the Instance Name dialog box appears. The instance name will help you identify and differentiate it from other instances that you may have installed on the same end point. The instance name will be listed in the data directory for the instance as well as in the Add or Remove Programs snap-in. 5. Enter a unique instance name, for example IDG. 6. Click Next to display the Ports configuration dialog box. 7. Leave ports at their default values unless you have conflicts with the default values. 8. Click N