Configuring Active Directory Deletion Protection

Migrating to Server 2012 R2 from Server 2003 brings with it the ability to leverage the benefits of the new operating system. One of the benefits of Server 2012 R2 that you might not know about is Active Directory Deletion Protection

Active Directory Deletion Protection is a flag that can be set on existing objects and can be configured to be automatically be set on new objects that protects against accidental AD object deletion.

Active Directory Deletion Protection protects against that chimera of Windows Sysadmin concern – that someone accidentally manages to delete an OU that contains important accounts, perhaps even an entire OU tree.

The way it works is that objects with AD Deletion Protection can’t be deleted just by selecting the object and pressing delete. Instead the properties of the object must be edited and a specific flag that blocks accidental deletion must be removed. It’s a failsafe device – it won’t stop people deleting important Active Directory objects – it just means that they’ll have to explicitly remove deletion protection before doing so.