Protect Objects in Windows Server 2003 Active Directory from Accidental Deletion

Posted on January 8, 2009 by Daniel Petri in Active Directory with 0 Comments

One of the major headaches when dealing with Active Directory is the issues of accidental deletion of objects by un-trained or malicious people. Of course one must have the right permissions in Active Directory in order to be able to delete any object from it, but this does happen now and then. For example, you might want to perform a deletion of one object but instead select another one, and without giving it a second thought, pressing delete. You might delete an entire organizational unit (OU) with all the nested objects in it, and not pay attention to the two warning windows that ask you if you’re sure you want to perform that task.

Another problem might be caused by accidentally moving an OU with all its nested objects to another OU, just by pressing the mouse button and moving the mouse for less than a centimeter (this is most common with laptops being used as management stations, with their tiny mouse pads, making the mouse movement for a long distance a bit more challenging than a regular mouse).

Thing is, I had to recover more than a few Active Directory objects or OUs over the past years, and every time it was because of a accidental deletion. I looked for a way to help me protect objects and OUs in Active Directory, even if it was not bullet proof, it could at least give me another means to control what my administrators were doing.

Remember, being an administrator, and more so a member of the Domain Admins, Enterprise Admins or Schema Admins groups is considered a trusted position. If you don’t trust the person doing the job, don’t give him or her the job. The method outlined here will not stop a malicious or a specially gifted and lame administrator from causing harm. It will stop YOU or them from accidentally performing a delete operation, but it can be easily bypassed by an administrator with the right permissions.

Note: This article is specially written for Windows Server 2003-based Active Directory and domain Controllers. In Windows Server 2008 a new GUI option was added. You can read more about it on the Windows Server 2008 section.

In order to protect these objects from accidental deletion you need to dive in the permissions for the specific object or organizational unit (OU) in Active Directory. You can use this procedure to add the following access control entries (ACEs):

  • On the organizational unit (OU) that you want to protect, add explicit Deny ACEs for the Delete and Delete Subtree advanced permissions for the Everyone group.
  • On the parent container of the OU that you want to protect, add an explicit Deny ACE for the Delete All Child Objects permission for the Everyone group.
  • This protects an OU from accidental deletion. When a user tries to delete the protected object, the operation returns an error that indicates access is denied.

    Note: In case you need to restore a deleted object I suggest you read my “How to Restore Windows Server 2003 Active Directory” and “Recovering Deleted Items in Active Directory” articles.

    Method #1: Using Active Directory Users and Computers

    To protect an OU from accidental bulk deletion follow these steps:

                  

    1. Log on to the computer as a member of the Domain Admins group.
    2.  

    3. Open Active Directory Users and Computers from the Start Menu -> Administrative Tools folder, or by typing DSA.MSC in the Run command.
    4.  

    5. First, apply permissions on the OU that you want to protect. To do this, right-click the OU that you want to protect, and then click Properties.
    6.  

    7. In OU Properties, click the Security tab, and then click Advanced.
    8. Note: The Security tab is not displayed by default. To see it you need to close the property sheet, and in the ADUC View menu, select Advanced Features.

       

    9. On Advanced Security Settings, click Add, type Everyone, and then click OK.
    10.  

    11. In Permission Entry, in Permissions, select the Deny check boxes for Delete and Delete subtree. Select the check box for Apply these permissions to objects and/or containers within this container only.
    12. Sponsored

      Sponsored

       

    13. Click OK to close Permission Entry.
    14.  

    15. On Advanced Security Settings, click Apply.
    16.  

    17. Review the Windows Security warning, and then click Yes to continue.
    18.  

    19. Click OK to close the Advanced Security Settings, and then click OK to close OU Properties.
    20.  

    21. Next, apply permissions to the parent container of the OU that you want to protect. To do this, right-click the parent container, and then click Properties.
    22.  

    23. Container Properties, click the Security tab.
    24.  

    25. Click Add, type Everyone, and then click OK.
    26.  

    27. In Permissions for Everyone, select the Deny check box for Delete All Child Objects, and then click Apply.
    28.  

    29. Review the Windows Security warning, and then click Yes to continue.
    30.  

    31. Click OK to close Container Properties.

    Now, try to delete the OU. You’ll get an Access Denied prompt.

    Warning: Try the deletion action at your own risk, don’t come crying to me if you accidentally deleted your entire company’s users. This tip works, it worked for me, it works for everyone, but I cannot guarantee that you followed my instructions precisely.

    Another warning: If you do try to see if it works for you or not, do it on a test OU that you’ve created for this purpose first. Also, make sure you have a good backup of your Active Directory. Read my How to Backup Windows Server 2003 Active Directory” article for more info.

    To remove the protection, remove the Deny ACEs that you added for the Everyone group.

    Method #2: Using the DACLS command

    If you want to use DSACLS to protect an OU you can use the following command:

    If you want to protect your entire OU structure you could use the following command:

    Note: This command will process EVERY organizational unit in the Active Directory domain. If you just want to protect certain levels, you need to change the dsquery command.

    Related Articles

     

    Sponsored