DCSIMG
Protecting OU from accidental deletion - Shay Levy

Shay Levy

If you repeat it, PowerShell it!

Protecting OU from accidental deletion

When you create new Organizational Units in Active Directory Users And Computers (ADUC) in Server 2008 (or with RSAT on 2003 domains), ADUC gives you the option to protect the OU from accidental deletion.

ou

When this option is selected, ADUC updates the security descriptor of the object and, potentially, its parent, with Deny ACE for the Everyone domain group, which denies all administrators or users of this domain and domain controller the ability to delete this object.


Note: This setting does not provide protection against accidental deletion of a subtree that contains the protected object. Therefore, it is recommend that you enable this setting for all the protected object's containers up to the domain naming context head.

If you try to delete the OU you’ll get the following dialog:

To unprotect a container uncheck the value from the object’s Object tab in ADUC. The Object tab is visible only when Advanced Features is selected on the View menu. 

object

 

With PowerShell and Quest AD cmdlets we can enable or disable OU protection with a single line of code!

Enable OU protection on all OUs

Get-QADObject –SizeLimit 0 -Type OrganizationalUnit | Add-QADPermission -Deny -Account Everyone -ApplyTo ThisObjectOnly -Rights DeleteTree,Delete

 

Enable protection for specific OU

Add-QADPermission -Identity 'DistinguishedNameOfTheOU' -Deny -Account Everyone -ApplyTo ThisObjectOnly -Rights DeleteTree,Delete

 

Remove protection for specific OU

Get-QADPermission -Identity 'DistinguishedNameOfTheOU' -Deny -Account Everyone -ApplyTo ThisObjectOnly | Remove-QADPermission

 

 

Posted: Sep 13 2009, 06:00 PM by ScriptFanatic | with 15 comment(s)
תגים:, , ,

Comments

Twitter Trackbacks for Protecting OU from accidental deletion - Shay Levy [microsoft.co.il] on Topsy.com said:

Pingback from  Twitter Trackbacks for                 Protecting OU from accidental deletion - Shay Levy         [microsoft.co.il]        on Topsy.com

# September 14, 2009 4:22 PM

Matthew said:

Hello,

Fantastic article...

In 2008, this option also protects from moving the OU.

But in 2003, the command lines protect just from deleting. We can move the OU to another place in AD. Is there a solution ?

Thanks

# September 24, 2009 11:49 AM

ScriptFanatic said:

Thanks Matthew!

I've tried to move a protected ou in 2003 (AADUC) and I get:

Windows cannot move object OUTest because: Access is Denied. I get the same error when I try to move the OU with Move-QADObject.

# September 24, 2009 12:50 PM

Matthew said:

I dont' understand.

I'm using Domain Administrator Account with ADUC in a Windows 2003 Domain (not R2).

Deleting : OK "Access Denied"

Moving : NOK. The OU has moved... No message "Access Denied" :(

Am I missing something ?

# September 24, 2009 2:13 PM

ScriptFanatic said:

I'm on the same environment as yours. Do you use RSAT's ADUC to delete the object?

# September 24, 2009 3:03 PM

Matthew said:

No, I'm using ADUC directly on the Windows 2003 Domain Controller...

# September 24, 2009 4:01 PM

ScriptFanatic said:

I'm not sure why you can and I can't. I've logged on to my main DC (2003), launched ADUC and tried to move the object:

Windows cannot move object OUTest because: Access is denied.

# September 24, 2009 4:11 PM

Matthew said:

Thanks for your answers.

I have no Windows Vista with RSAT in my Domain. So the OUs have been created directly on the Windows 2003 Controller with ADUC. Then we've used the Powershell command line from a Windows XP Client, a domain admin account and PowerGUI Script Editor... When we check the security permissions for "Everyone" : 'Delete' and 'Delete Subtree' are denied. We can't delete the OUs but we can move them. We have made several tests.

# September 24, 2009 5:01 PM

ScriptFanatic said:

I would like to help but I can't reproduce it.

# September 24, 2009 5:34 PM

Matthew said:

Yessss !

I've made a new OU but with a different name at a different place : now it works.

I think we have made too much tests with the same OU (delete... then create it again and again). "Not my fault ! It's my colleague" ;o))

For deletion the message is now : "You do not have sufficient privileges to delete testdelmat"

For moving it : "Windows cannot move object testdelmat because : Access is denied".

:o)

# September 24, 2009 6:00 PM

ScriptFanatic said:

Great :)

# September 24, 2009 6:13 PM

Matthew said:

This morning (France :o) We have made new tests : in fact, my colleague use an account which have more rights than mine. If he uses this account to move the OU : he can. Then If I move it again, I can. If I create a new OU and then apply the new securities, I can't. For this new OU, if he moves it : he can... then I can !

My Account is Domain Admins.

His Account is Domain Admins, Enterprise Admins and Group Policy Creator Owners.

Something very strange...

# September 25, 2009 9:57 AM

hitesh said:

thnks a lot for giving dis information.

# April 2, 2011 10:40 AM

Ausigee said:

The reason you cannot delte the object is that in 2003 the everyone group has an explicit deny for deletion of object and subtree.  You would need to remove this on the object and then complete the delete in order to remove the OU.

Hope this helps

# August 31, 2011 6:23 PM

Jason said:

Thank you Helpded fix my issue.

# November 22, 2011 2:12 AM
Leave a Comment

(required) 

(required) 

(optional)

(required) 


Enter the numbers above: