Prevent “Fat Fingered” deletion of OU objects.
Fat fingered administration is one of the main causes of OU deletion and subsequent “Authorative Restores” and the associated aggravation. In Windows Server 2008/2008R2 in Active Directory Users and Computers there is a check box titled “Protect Container from accidental deletion”, this check box sets two ACES to prevent, as the box says accidental deletion.
This functionality can also be set on Windows Server 2000/2003 but it is a manual process.
To protect the OU called “Members” in the domain “markparris.co.uk” from accidentally being deleted (or moved ) from its parent OU “MARK” implement the following:
For the “ADUG” OU, add DENY ACE for Everyone to DELETE CHILD with the This object only scope:
DSACLS “OU=MARK,DC=markparris,DC=co,DC=uk” /D “EVERYONE:DC”
For the “Members” OU, add DENY ACE for Everyone to DELETE and DELETE TREE with the This object only scope: DSACLS “OU=Members,OU=MARK,DC=markparris,DC=co,DC=UK” /D “EVERYONE:SDDT”
Note The Advanced Features option must be enabled.
Although you can configure every object in Active Directory by using these ACEs, this configuration is best suited for OU’s. These two ACE’s prevent accidental deletions or movements. When it is deemed necessary to delete or move an OU by using such a configuration, the two Deny ACEs must be removed.