Remove Protection Against Accidental Organizational Unit Deletion

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use this procedure to remove the following access control entries (ACEs):

  • On the organizational unit (OU) for which you are removing protection, remove explicit Deny ACEs for the Delete and Delete Subtree advanced permissions for the Everyone group.

  • On the parent container of the OU for which you are removing protection, remove an explicit Deny ACE for the Delete All Child Objects permission for the Everyone group.

This removes protection that prevents an OU from accidental deletion. Consequently, you may have to remove these permissions to be able to perform bulk deletions of objects in Active Directory.

To add the protection back again, you can reselect the Deny check boxes for the Delete and Delete Subtree advanced permissions for the Everyone group for the OU and the Delete All Child Objects permission for the Everyone group on the parent container. For more information, see Protect an Organizational Unit from Accidental Deletion.

Membership in the Domain Admins group, or equivalent, is required to complete this procedure.

To remove protection that prevents an OU from accidental deletion

  1. Log on to the computer as a member of the Domain Admins group.

  2. Open Active Directory Users and Computers.

  3. Click View, and then click Advanced Features.

  4. First, clear permissions on the OU for which you want to remove protection. To do this, right-click the OU, and then click Properties.

  5. In OU Properties, click the Security tab, and then click Advanced.

  6. In Permission Entries, select the Deny entry for the Everyone group, and then click Remove.

  7. Click OK to close the Advanced Security Settings, and then click OK to close OU Properties.

  8. Second, clear permissions on the parent container of the OU for which you want to remove protection. To do this, right-click the parent container, and then click Properties.

  9. In ContainerProperties, click the Security tab.

  10. In Group or user names, select the Everyone group, and then clear the Deny check box for Delete All Child Objects, and then click OK to close Container Properties.