Protecting OU from accidental deletion

2011/01/24 | 1 minute read |


When you create new Organizational Units in Active Directory Users And Computers (ADUC) in Server 2008 (or with RSAT on 2003 domains), ADUC gives you the option to protect the OU from accidental deletion.


When this option is selected, ADUC updates the security descriptor of the object and, potentially, its parent, with Deny ACE for the Everyone domain group, which denies all administrators or users of this domain and domain controller the ability to delete this object.

Note: This setting does not provide protection against accidental deletion of a subtree that contains the protected object. Therefore, it is recommend that you enable this setting for all the protected object's containers up to the domain naming context head.

If you try to delete the OU you'll get the following dialog:

To unprotect a container uncheck the value from the object's Object tab in ADUC. The Object tab is visible only whenAdvanced Features is selected on the View menu.


With [PowerShell]( and [Quest AD cmdlets]( we can enable or disable OU protection with a single line of code!

Enable OU protection on all OUs

[Get-QADObject]( –SizeLimit 0 -Type OrganizationalUnit | [Add-QADPermission]( -Deny -Account Everyone -ApplyTo ThisObjectOnly -Rights DeleteTree,Delete

Enable protection for specific OU

[Add-QADPermission]( -Identity 'DistinguishedNameOfTheOU' -Deny -Account Everyone -ApplyTo ThisObjectOnly -Rights DeleteTree,Delete

Remove protection for specific OU

[Get-QADPermission]( -Identity 'DistinguishedNameOfTheOU' -Deny -Account Everyone -ApplyTo ThisObjectOnly | [Remove-QADPermission](


Leave a comment