Secure Active Directory Objects in Windows Server 2008/R2 ADUC

Posted on August 31, 2010 by Daniel Petri in Active Directory with 0 Comments

Who hasn’t heard of “someone” who has accidentally deleted an entire Organizational Unit (OU) in Active Directory? If you’re lucky, you’ve never had to explain a personal human error such as this, but I’ve heard of many horror stories of people who have accidentally deleted OUs filled with hundreds, and in one case, over 5000 users.

It’s true that by using a proper backup procedure it is possible to restore these objects. It’s also true that you can use manual restore procedures such as the one in my Recovering Deleted Items in Active Directory article. However, I’m sure you’ll gladly agree that it’s best not to put yourself in that position in the first place.

Luckily for us, in Windows Server 2008 and Windows Server 2008 R2, Microsoft has introduced a new option designed to protect Active Directory objects from being accidentally deleted. The option to protect objects from accidental deletion is available for all objects that are manageable through Active Directory Users and Computers (ADUC), and is enabled by default when you create a new OU.

Let’s see an example. I will create an OU and select the “Protect container from accidental deletion”:

ADUC: Protect container when creating new OU

Next, I will attempt to delete the object:

ADUC: OU protected from accidental deletion

ADUC: OU protected from accidental deletion

As you can see, I failed to delete the object and received the following error message:

ADUC: OU protected from accidental deletion

So how does this work?

By selecting the Protect container from accidental deletion option, an Access Control Entry (ACE) is added to the Access Control List (ACL) on the object, protecting it from accidental deletion. In order to view the ACL for the protected object, we need to change the view in ADUC so that it shows the Advanced Features.

Select "Advanced Features" to view Access Control Entry the protected object

Look at the object’s security tab:

View Access Control Entry (ACE) for the protected object

Click on the Advanced button, then select the entry for “Everyone” and click “Edit”:

Advanced security settings for new OU

The ACE that is added is a “Deny” entry for the Everyone group, and it denies the Delete and Delete Subtree permissions on ACL of the object.

Important: Please note that by default, the accidental deletion protection is enabled by default ONLY for Organization Units (OUs), and NOT for user objects. This means that if you attempt to delete one or more user objects, even if you’re located inside a protected OU, you will succeed:

Default deletion protection only affects OUs, NOT user objects

Default deletion protection only affects OUs, NOT user objects

Default deletion protection only affects OUs, NOT user objects

In order to protect user, group or computer objects from accidental deletion, you must MANUALLY enable this option in the object’s properties. Change the view in ADUC so that it shows the Advanced Features, open the object’s properties window, and click on the “Object” tab. There you can select the accidental deletion protection option.

Manually enable deletion protection on user, group or computer objects

When selected, if you attempt to delete the object, you’ll get this message:

Object is protected from accidental deletion

In order to delete the object, you must first disable the accidental deletion protection by deselecting the “Protect object from accidental deletion” option. This is done on the Object tab of the object in ADUC. If not enabled, change the view in ADUC so that it shows the Advanced Features, open the object’s properties window, and click on the “Object” tab.

Disable accidental deletion protection

Disable accidental deletion protection

By deselecting this option, you are removing the previously mentioned Deny ACE from the ACL of the object, and by doing so you allow the deletion of the object.

Sponsored

Sponsored

Note: You may consider enabling this setting on some of the most important existing AD DS objects, including certain AD DS groups, user accounts, and computer accounts. You can use this list as a reference:

  • Built in Administrator and krbtgt accounts.
  • Built in privileged groups including (Account Operators, Administrators, Allowed RODC Password Replication Group, Schema Admins, Backup Operators, Cert Publishers, Denied RODC Password Replication Group, DnsAdmins, DnsUpdateProxy, Domain Admins, Domain Computers, Domain Controllers, Domain Users, Enterprise Admins, Enterprise Read-only Domain Controllers, Group Policy Creator Owners, Incoming Forest Trust Builders, Read-only Domain Controllers, Server Operators, and Users.
  • Built in Containers and OUs including Builtin, Computers, Domain Controllers, Foreign Security Principles, LostAndFound, Program Data, System, Users, and NTDS Quotas.
Sponsored