François-Xavier Cat

Lead DevOps Engineer

1 minute read

When you create new Organizational Units in Active Directory Users And Computers (ADUC) in Server 2008 (or with RSAT on 2003 domains), ADUC gives you the option to protect the OU from accidental deletion.

image-center

When this option is selected, ADUC updates the security descriptor of the object and, potentially, its parent, with Deny ACE for the Everyone domain group, which denies all administrators or users of this domain and domain controller the ability to delete this object.

image-center

Note: This setting does not provide protection against accidental deletion of a subtree that contains the protected object. Therefore, it is recommend that you enable this setting for all the protected object’s containers up to the domain naming context head. If you try to delete the OU you’ll get the following dialog:

image-center

To unprotect a container uncheck the value from the object’s Object tab in ADUC. The Object tab is visible only whenAdvanced Features *is selected on the *View menu.

image-center

With PowerShell and Quest AD cmdlets we can enable or disable OU protection with a single line of code!

Enable OU protection on all OUs

Get-QADObject SizeLimit 0 -Type OrganizationalUnit |
Add-QADPermission `
 -Deny `
 -Account Everyone `
 -ApplyTo ThisObjectOnly `
 -Rights DeleteTree,Delete

Enable protection for specific OU

Add-QADPermission `
 -Identity 'DistinguishedNameOfTheOU' `
 -Deny `
 -Account Everyone `
 -ApplyTo ThisObjectOnly `
 -Rights DeleteTree,Delete

Remove protection for specific OU

Get-QADPermission `
 -Identity 'DistinguishedNameOfTheOU' `
 -Deny `
 -Account Everyone `
 -ApplyTo ThisObjectOnly |
Remove-QADPermission

Leave a comment

You may also enjoy

Microsoft MVP 2020-2021

less than 1 minute read

It is a great pleasure and honor to receive the Microsoft MVP award for another year