Protect an Organizational Unit from Accidental Deletion

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use this procedure to add the following access control entries (ACEs):

  • On the organizational unit (OU) that you want to protect, add explicit Deny ACEs for the Delete and Delete Subtree advanced permissions for the Everyone group.

  • On the parent container of the OU that you want to protect, add an explicit Deny ACE for the Delete All Child Objects permission for the Everyone group.

This protects an OU from accidental deletion. When a user tries to delete the protected object, the operation returns an error that indicates access is denied.

To remove the protection, remove the Deny ACEs that you added for the Everyone group. For more information, see Remove Protection Against Accidental Organizational Unit Deletion.

Although bulk deletions are not common in the configuration partition data that you can view with the Active Directory Sites and Services snap-in, you can apply the same method to protect objects in the configuration partition by using adsiedit.msc.

Membership in the Domain Admins group, or equivalent, is required to complete this procedure.

To protect an OU from accidental bulk deletion

  1. Log on to the computer as a member of the Domain Admins group.

  2. Open Active Directory Users and Computers.

  3. Click View, and then click Advanced Features.

  4. First, apply permissions on the OU that you want to protect. To do this, right-click the OU that you want to protect, and then click Properties.

  5. In OU Properties, click the Security tab, and then click Advanced.

  6. On Advanced Security Settings, click Add, type Everyone, and then click OK.

  7. In Permission Entry, in Permissions, select the Deny check boxes for Delete and Delete subtree.

  8. Select the check box for Apply these permissions to objects and/or containers within this container only.

  9. Click OK to close Permission Entry.

  10. On Advanced Security Settings, click Apply.

  11. Review the Windows Security warning, and then click Yes to continue.

  12. Click OK to close the Advanced Security Settings, and then click OK to close OU Properties.

  13. Second, apply permissions to the parent container of the OU that you want to protect. To do this, right-click the parent container, and then click Properties.

  14. In ContainerProperties, click the Security tab.

  15. Click Add, type Everyone, and then click OK.

  16. In Permissions for Everyone, select the Deny check box for Delete All Child Objects, and then click Apply.

  17. Review the Windows Security warning, and then click Yes to continue.

  18. Click OK to close Container Properties.