Windows 2008 AD new feature, “PROTECT OBJECT FROM ACCIDENTAL DELETION”.
Windows 2008 AD new feature, “PROTECT OBJECT FROM ACCIDENTAL DELETION” .
Windows Server 2008 has a new feature, which allows you to protect objects from accidental deletion. You can access this feature in GUI. It is possible in earlier Windows Active directory but you had to use DSACLS to ACL the AD objects. So here is how you protect objects from accidental deletion in Windows Server 2008?
Open ADUC and switch to Advanced View, right click properties of the object, Object-Tab – you can see the new checkbox "Protect Object from accidental deletion".
By default in Windows 2008, OUs created in ADUC are protected. However, if the OU is created before you migrated/upgraded to windows 2008 domain the OUs are not protected. You can achieve the similar feat in Windows 2003 or earlier domain by modifying the Security-Descriptor of the object and Deny Everyone to delete and delete subtree.
You can use DSACLS to protect an OU. The following command will produce the desired result.
dsacls ou=Msusers,dc=microsoft,dc=local /d Everyone:SDDT
The following command protects all OUs in your domain from accidental deletion.
for /f "tokens=*" %i in ('dsquery ou -limit 0') do dsacls %i /d everyone:SDDT
Comments
Anonymous
October 03, 2012
thanks a ton for your valuable suggestion.Anonymous
April 11, 2013
Just yesterday I accidentally deleted a RADIUS server while the backup was down. I wish I'd seen this before.... I'm going to set all of the servers and OUs' now...Anonymous
November 27, 2013
Try this tool for set/remove accidental deletion options for AD Objects in bulk. www.adsysnet.com/asn-active-directory-manager-download.aspx