Secure Active Directory Objects in Windows Server 2008/R2 ADUC
Who hasn’t heard of “someone” who has accidentally deleted an entire Organizational Unit (OU) in Active Directory? If you’re lucky, you’ve never had to explain a personal human error such as this, but I’ve heard of many horror stories of people who have accidentally deleted OUs filled with hundreds, and in one case, over 5000 users.
It’s true that by using a proper backup procedure it is possible to restore these objects. It’s also true that you can use manual restore procedures such as the one in my Recovering Deleted Items in Active Directory article. However, I’m sure you’ll gladly agree that it’s best not to put yourself in that position in the first place.
Luckily for us, in Windows Server 2008 and Windows Server 2008 R2, Microsoft has introduced a new option designed to protect Active Directory objects from being accidentally deleted. The option to protect objects from accidental deletion is available for all objects that are manageable through Active Directory Users and Computers (ADUC), and is enabled by default when you create a new OU.
Let’s see an example. I will create an OU and select the “Protect container from accidental deletion”:
Next, I will attempt to delete the object:
As you can see, I failed to delete the object and received the following error message:
So how does this work?
By selecting the Protect container from accidental deletion option, an Access Control Entry (ACE) is added to the Access Control List (ACL) on the object, protecting it from accidental deletion. In order to view the ACL for the protected object, we need to change the view in ADUC so that it shows the Advanced Features.
Look at the object’s security tab:
Click on the Advanced button, then select the entry for “Everyone” and click “Edit”:
The ACE that is added is a “Deny” entry for the Everyone group, and it denies the Delete and Delete Subtree permissions on ACL of the object.
Important: Please note that by default, the accidental deletion protection is enabled by default ONLY for Organization Units (OUs), and NOT for user objects. This means that if you attempt to delete one or more user objects, even if you’re located inside a protected OU, you will succeed:
In order to protect user, group or computer objects from accidental deletion, you must MANUALLY enable this option in the object’s properties. Change the view in ADUC so that it shows the Advanced Features, open the object’s properties window, and click on the “Object” tab. There you can select the accidental deletion protection option.
When selected, if you attempt to delete the object, you’ll get this message:
In order to delete the object, you must first disable the accidental deletion protection by deselecting the “Protect object from accidental deletion” option. This is done on the Object tab of the object in ADUC. If not enabled, change the view in ADUC so that it shows the Advanced Features, open the object’s properties window, and click on the “Object” tab.
By deselecting this option, you are removing the previously mentioned Deny ACE from the ACL of the object, and by doing so you allow the deletion of the object.
Note: You may consider enabling this setting on some of the most important existing AD DS objects, including certain AD DS groups, user accounts, and computer accounts. You can use this list as a reference:
- Built in Administrator and krbtgt accounts.
- Built in privileged groups including (Account Operators, Administrators, Allowed RODC Password Replication Group, Schema Admins, Backup Operators, Cert Publishers, Denied RODC Password Replication Group, DnsAdmins, DnsUpdateProxy, Domain Admins, Domain Computers, Domain Controllers, Domain Users, Enterprise Admins, Enterprise Read-only Domain Controllers, Group Policy Creator Owners, Incoming Forest Trust Builders, Read-only Domain Controllers, Server Operators, and Users.
- Built in Containers and OUs including Builtin, Computers, Domain Controllers, Foreign Security Principles, LostAndFound, Program Data, System, Users, and NTDS Quotas.