Prevent Active Directory Object Deletion

You can configure Active Directory objects as undeletable to prevent having to restore Active Directory.

Readers

July 26, 2004

1 Min Read
ITPro Today logo in a gray background | ITPro Today

A best practice for restoring Active Directory (AD) is to configure your organizational units (OUs); global groups; computer accounts; printers; and important user accounts (e.g., accounts that start services, your boss's account), shared folders, and contacts so that no one can delete them. You can use various methods to configure AD objects as undeletable, depending on the delegation method you use.

In my company, we applied Deny permissions to AD objects in the top-level OUs, then allowed inheritable permissions from the parent to propagate to lower-level objects. To use this method, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and select View, Advanced from the menu. Select the Security tab of the AD object you want to protect against accidental deletion, and click Advanced. Select the Permissions tab, click the word NAME to sort permissions by name, then scroll to the top of the list. Double-click the first user or group in the list that has the Delete Object permission for the object you want to protect or Full Control of the object. Depending on the type of AD object and the AD tree level, set the Apply Onto Field option to This Object Only or This Object And All Child Objects. Click Deny for the Delete permission you want to restrict (e.g., delete OU objects, delete printer). Repeat these steps until no user or Global Catalog (GC) has permission to delete any objects you're trying to protect.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like