none
Protect Object from Accidental Deletion

    Question

  • I notice the new "Protect Object from Accidental Deletion" option in 2008. Is there a recommended best practice for when to check this? I also noticed that when checked on an OU, it does not propagate to users/computer within it. Is there a way to set this for an entire domain?

    Thanks,
    Scott
    Saturday, February 20, 2010 2:17 PM

Answers

  • Howdie!

    Am 20.02.2010 15:17, schrieb scottyp55:
    > I notice the new "Protect Object from Accidental Deletion" option in
    > 2008. Is there a recommended best practice for when to check this? I
    > also noticed that when checked on an OU, it does not propagate to
    > users/computer within it. Is there a way to set this for an entire domain?

    It does not automatically propagate to other objects as this feature is
    intended to protect OUs from being deleted accidentally. You probably
    want to delete a couple of users in an OU but not the whole OU and its
    child objects entirely.

    You can easily create this kind of propagation yourself. The "Protect
    Object from Accidental Deletion" feature is nothing than a generic "Deny
    Delete" ACE on the OU (this object only). "Everyone" is denied deleting
    the OU, that's a simple ACE you can set in the "Security" tab on the OU
    properties when having "Advanced Features" enabled in ADUC (or ADSIEdit,
    ....).

    Cheers,
    Florian

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    • Proposed as answer by Meinolf WeberMVP Sunday, February 21, 2010 2:12 PM
    • Marked as answer by scottyp55 Monday, February 22, 2010 4:11 PM
    Saturday, February 20, 2010 3:25 PM

All replies

  • Yes, this option appeared in 2008.  At first I was quite annoyed because of the error message that pops up when you try to delete the OU. Our organization is quite decentralized in terms of AD administration.  We have about 100 OUs that represent the various business units and I now find this "feature" very beneficial because I have had to restore OUs on in the past due to OU Admins deleting their OUs by accident, usually because they were working within GPMC and didnt realize that the ability to delete OUs is possible using that MMC.

    As far as propogation, hmmm, not sure.  If you set up a 2008 domain from scratch, the OUs that you create would have that setting by default.  Coming from an upgraded domain, only the new OUs will have that setting enabled.
    Visit my blog: anITKB.com, an IT Knowledge Base.
    Saturday, February 20, 2010 2:59 PM
  • Howdie!

    Am 20.02.2010 15:17, schrieb scottyp55:
    > I notice the new "Protect Object from Accidental Deletion" option in
    > 2008. Is there a recommended best practice for when to check this? I
    > also noticed that when checked on an OU, it does not propagate to
    > users/computer within it. Is there a way to set this for an entire domain?

    It does not automatically propagate to other objects as this feature is
    intended to protect OUs from being deleted accidentally. You probably
    want to delete a couple of users in an OU but not the whole OU and its
    child objects entirely.

    You can easily create this kind of propagation yourself. The "Protect
    Object from Accidental Deletion" feature is nothing than a generic "Deny
    Delete" ACE on the OU (this object only). "Everyone" is denied deleting
    the OU, that's a simple ACE you can set in the "Security" tab on the OU
    properties when having "Advanced Features" enabled in ADUC (or ADSIEdit,
    ....).

    Cheers,
    Florian

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    • Proposed as answer by Meinolf WeberMVP Sunday, February 21, 2010 2:12 PM
    • Marked as answer by scottyp55 Monday, February 22, 2010 4:11 PM
    Saturday, February 20, 2010 3:25 PM
  • Thanks guys. This is very helpful.
    Monday, February 22, 2010 4:11 PM
  • Please have a look at this post which might helpful to enable protection on all AD objects by using three commands

    http://wp.me/pBVRH-1F
    • Edited by Seneej Sunday, July 21, 2013 7:54 PM update.
    Sunday, July 21, 2013 7:53 PM