Tip: How to ensure Organisation Unit are protected from accidental deletion

This is a simple tip that I want to share about the right way to Organisation Units  to ensure that you always have them protected from accidental deletion.

Ever since Windows Server 2008/Vista there has been an option in ADUC called “Protect container from accidental deletion” (see image below).

image 

The affect of ticking this check box was that the “Everyone” group would be granted deny delete permission (see below) on the object so that it would be very hard for you to accidently delete an OU (and all of its contents) even if you are a Domain Admin. NICE!!!

image

image

This is a very handy option to have enabled on all you OU’s (groups and users) as we all know that it quite easy to accidently delete something when you are working late or just under the pump with a million things on your plate.

However…

You may also be aware that the Group Policy Management Console also has as option to create new new Organisation Unit (see below).

image

image

The problem with using GPMC is that the tool does not implement “Protect container from accidental deletion” deny security permission on the OU as the ADUC tool does (see below).

image

So in summary, even though it might be really convenient to create OU’s in GPMC I recommend that you do NOT do this as you might end up regretting you ever did when you accidently pressed delete one to many times…

Author: Alan Burchill

Microsoft MVP (Group Policy)

5 thoughts on “Tip: How to ensure Organisation Unit are protected from accidental deletion

  1. How do you delete an OU that has this checked?

    I cannot seem to find a way to do this! 🙁

    1. Open the properties and you uncheck the delete protection (Advanced view must be on)…. or manually remove the Deny Delete permission on the OU.

Leave a Reply