Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory
Preventing Unwanted/Accidental deletions
Windows 2003
Use Delegation to restrict the deletion activity, to only selected Admins.
· Create group which contains users, who you want should NOT have the delete permission of set of objects in AD.
· Deny those group permission to Delete and Delete Subtree permissions on specific organizational units (OUs) that may contain user accounts, computer accounts or security groups in Active Directory.
· You should also remove the Delete All Child Objects permission on the parent container of an OU that you want to protect.
Guarding Against Accidental Bulk Deletions in Active Directory
https://technet.microsoft.com/en-us/library/cc773347.aspx
In Windows 2008
In Windows Server 2008, the Active Directory Users and Computers snap-in provides the “ Protect object from accidental deletion” option. When enabled, Protect object from accidental deletion implements the Deny delete subtree permission. When you enable Advanced Features on the View menu, the Protect object from accidental deletion option is available on the Object tab. You can open the Properties page for each container in the domain and enable this option.
Use this option to protect all other containers up to the domain level. Good candidates for protection are containers that store Group Policy objects (GPOs) and Active Directory–integrated Domain Name System (DNS) zones. When you enable the Protect object from accidental deletion option, neither the container nor any child object can be deleted by any administrator or other user. An administrator with the right to log on locally to a domain controller and the right to open Active Directory Users and Computers can enable or disable the setting.
Requirement:
· At least One Windows 2008 DC in the domain.
· The “Protect object from accidental deletion” can only be enabled or disabled using the Active Directory Users and Computers snap-in in Windows 2008.
· When “Protect object from accidental deletion” is enabled for a User or OU, Everyone group is denied Delete and Delete Subtree permissions on that object.
· With “Protect object from accidental deletion”, no administrator would be able to delete that object unless and administrator disables/unchecks “Protect object from accidental deletion” on that object again.
Windows Server 2008 Protection from Accidental Deletion
To restore deleted objects in AD, within the tombstone lifetime period (Windows 2003/2008)
Plan 1
· NON-Authoritative restore of a previous system state backup, that has the object that needs to be restores.
· Use NTDSutil to increase the USN of the object we want to restore, i.e. do an Authoritative Restore of the object.
· Replicate the authoritative objects to the other DCs in domain.
Performing an Authoritative Restore of Active Directory Objects
https://technet.microsoft.com/en-us/library/cc779573.aspx
Plan 2
· Use tools like ADRestore to get back a recently deleted object, within the tombstone lifetime.
How to restore deleted user accounts and their group memberships in Active Directory
https://support.microsoft.com/?kbid=840001
In Windows 2008 R2
The “Protect object from accidental deletion” option can be used to prevent deletion.
In case the deletion takes place, the object can be recovered with all its attributes using the new Recycle Bin for Active Directory feature.
When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved, and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across the domains.
This feature requires the Forest functional level to be Windows 2008 R2.
Active Directory Recycle Bin Step-by-Step Guide
https://technet.microsoft.com/en-us/library/dd392261.aspx
- Abizer
Comments
Anonymous
August 26, 2013
Hi, Have a look at this tool ASN Active Directory Manager. This tool provides the option to set and clear "Protect from accidental deletion" for bulk objects (users, groups, contacts, computers, ous, etc) in a single click. Also, the deleted objects (users, groups, contacts,computers) can be restored using more advanced options. Normally the restored users will be in disabled state and user's membership and all other properties will be empty. This tool provides the options to set more properties while restoring the users. Generally all the deleted users are restored to their last known parent container. In some cases, last known parent may also be deleted and no required to restore.Here ASN Active Directory Manager provides the option to select the container to restore the deleted objects. Please visit this page for more details http:/www.adsysnet.com/asn-active-directory-manager-delete-restore.aspxAnonymous
September 02, 2015
Adaxes can take it to a further level by implementing Approval-Based Workflow to Active Directory environments. It's a great way to prevent a maximum amount of unwanted operations as they won't be executed unless approved by a responsible authority.http://www.adaxes.com/info_demos.htm?scene=approvals
Approval-based workflow allows to delegate more tasks but retain control over any potentially unwanted operations.