AD DS: All OUs in this domain should be protected from accidental deletion

  • Article

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Warning

Category

Configuration

Issue

Some organizational units (OUs) in this domain are not protected from accidental deletion.

Impact

If all OUs in your Active Directory domains are not protected from accidental deletion, your Active Directory environment can experience disruptions that might be caused by accidental bulk deletion of objects.

Resolution

Make sure that all OUs in this domain are protected from accidental deletion.

You can use the following procedures to protect OUs in your Active Directory domains from accidental deletion.

Note

You can run the following procedures only on a server running Windows Server 2008 R2. In addition, you can use the Windows Server 2008 R2 version of Remote Server Administration Tools (RSAT) on client computer to manage your Active Directory environment remotely. You must have at least one Windows Server 2008 R2 domain controller in your Active Directory environment to use the Active Directory module for Windows PowerShell successfully.

Membership in Account Operators, Domain Admins, or Enterprise Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To protect all existing OUs in your domain from accidental deletion by using the Get-ADOrganizationalUnit and Set-ADOrganizationalUnit cmdlets

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

  2. At the Active Directory module command prompt, type the following command to check with OUs are not protected, and then press ENTER:

    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft

  3. At the Active Directory module command prompt, type the following command to protect the OUs that you identified in Step 2, and then press ENTER:

    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

  4. Run the command in Step 2 again to verify the OUs are protected.

    For more information about the Get-ADOrganizationalUnit and Set-ADOrganizationalUnit cmdlets, at the Active Directory module command prompt, type Get-Help Get-ADOrganizationalUnit or Get-Help Set-ADOrganizationalUnit, and then press ENTER.

To protect an OU from accidental deletion by using the Active Directory Administrative Center

Note

You cannot use the Active Directory Administrative Center to protect the Domain Controllers OU from accidental deletion. However, you can use the Active Directory module for Windows PowerShell or the Active Directory Users and Computers snap-in to protect the Domain Controllers OU from accidental deletion. 

To open the Active Directory Administrative Center, click **Start**, click **Administrative Tools**, and then click **Active Directory Administrative Center**.

Note

Another way to open the Active Directory Administrative Center is to click Start, click Run, and then type dsac.exe.

  1. In the navigation pane, select the node that contains the OU that you want to protect from accidental deletion.

  2. In the management list, right-click the OU that you want to protect from accidental deletion, and then click Properties.

  3. In the Organizational Unit section, click Protect from accidental deletion, and then click OK.

Note

You can run the following procedure only on a server running Windows Server 2008 or Windows Server 2008 R2 or by using the Windows Server 2008 or Windows Server 2008 R2 versions of RSAT on a client computer to manage your Active Directory environment remotely.

To protect an OU from accidental deletion by using Active Directory Users and Computers

  1. Open the Active Directory Users and Computers snap-in. To open Active Directory Users and Computers, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. Under View, make sure that Advanced Features is enabled.

  3. In the console tree, navigate to the OU that you want to protect from accidental deletion, right-click the OU, and then click Properties.

  4. In the properties dialog box for the selected OU, on the Object tab, click Protect from accidental deletion, and then click OK.

Additional references

For more information about the Active Directory module, see What's New in AD DS: Active Directory Module for Windows PowerShell (https://go.microsoft.com/fwlink/?LinkId=140056).

Change History

Date Revision

July 19, 2010

The original Windows PowerShell commands were replaced with the commands provided by Mike Wedderburn-Clark in the customer annotations ta the end of this topic.