Prevent “Fat Fingered” deletion of OU objects.

Prevent “Fat Fingered” deletion of OU objects.

Fat fingered administration is one of the main causes of OU deletion and subsequent “Authorative Restores” and the associated aggravation. In Windows Server 2008/2008R2 in Active Directory Users and Computers there is a check box titled “Protect Container from accidental deletion”, this check box sets two ACES to prevent, as the box says accidental deletion. 

This functionality can also be set on Windows Server 2000/2003 but it is a manual process.

To protect the OU called “Members” in the domain “markparris.co.uk” from accidentally being deleted (or moved ) from its parent OU “MARK”  implement the following:

For the “ADUG” OU, add DENY ACE for Everyone to DELETE CHILD with the This object only scope:
DSACLS “OU=MARK,DC=markparris,DC=co,DC=uk” /D “EVERYONE:DC”

For the “Members” OU, add DENY ACE for Everyone to DELETE and DELETE TREE with the This object only scope: DSACLS “OU=Members,OU=MARK,DC=markparris,DC=co,DC=UK” /D “EVERYONE:SDDT”

Note The Advanced Features option must be enabled.

Although you can configure every object in Active Directory by using these ACEs, this configuration is best suited for OU’s.   These two ACE’s prevent accidental deletions or movements.  When it is deemed necessary to delete or move an OU by using such a configuration, the two Deny ACEs must be removed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s