The Importance of Protecting AD Objects against accidental deletion

I’ve recently had to go through the process of restoring a series of OU objects which is not at all fun even with the AD Recycle Bin feature that came along with Windows Server 2008 R2.

It’s easy to make mistakes though but most can be averted with the ‘Protect Object from Accidental Deletion’ flag. In order to toggle this value in the ADUC console select View > Advanced Features.

Once selected the object tab is available which allows you to toggle the object.

Any OUs in the University Active Directory that have been created using the Server 2008/Vista or later AD tools will have the value set by default. Other objects such as users and computers do not get the value automatically.

If you would like to set the property on all OUs or all Objects in given OU then you can run the following commands using the Quest AD Commandlets with appropriate rights:

For OUs only

get-qadobject -sizelimit 0 -type OrganizationalUnit -SearchRoot "OU=MyOU,OU=Departments,DC=campus,DC=ncl,DC=ac,DC=uk" | Add-QADPermission -Deny -Account Everyone -ApplyTo ThisObjectOnly -Rights DeleteTree,Delete

For Computers Only

get-qadobject -sizelimit 0 -type OrganizationalUnit -SearchRoot "OU=MyOU,OU=Departments,DC=campus,DC=ncl,DC=ac,DC=uk" | Add-QADPermission -Deny -Account Everyone -ApplyTo ThisObjectOnly -Rights DeleteTree,Delete

For Everything

get-qadobject -sizelimit 0 -SearchRoot "OU=MyOU,OU=Departments,DC=campus,DC=ncl,DC=ac,DC=uk" | Add-QADPermission -Deny -Account Everyone -ApplyTo ThisObjectOnly -Rights DeleteTree,Delete


Exchange ActiveSync Statistics Update

Every year we try to produce some statistics of the types and number of mobile devices that are connecting to the Exchange servers for email and calendaring.

There have been 7064 unique mobile devices connected between 01/04/2012 and 15/08/2012.

Of the 7064 devices, 4697 belong to students and 2367 to staff.


Disappearing messages to lists

We had a question last week about some messages sent to a local mailing list not reaching the members of the list. When we looked at the logs on the list server we saw that the messages were being discarded as duplicates/loops. This is an explanation of why this happens and how to avoid it.

Every mail message has identifying label associated with it which should be globally unique. This label is called a message-id (commonly shorted to msgid). The system we use to run our mailing lists (Sympa) relies on this to stop looping messages being sent to a list repeatedly. In the version we use at the moment the list of msgids that have been seen is only cleared out when the server is restarted for maintenance – this happens irregularly (later versions expire entries in the cache after a fixed time). This is a reasonably common technique to protect lists for mail-loops – I remember implementing it in the locally written MLM when I worked at Mailbase.

The system deliberately sidelines the message silently because it thinks this is a possible loop and sending a message to the sender has a fair chance of making things worse.

Unfortunately some mail programs will create messages with identical msgids. I believe that some versions of Outlook do this if you use the “Resend” option on an existing message. The workaround is to not use “Resend” unless you’re resending a message that failed to deliver. Some old versions of the Pine mail program generated duplicates occasionally because they used the current time to create the msgid but missed out one of the components(hours, minutes or seconds – can’t remember which).

We’ve found another instance in which Outlook will send messages with identical msgids and that’s using templates. If you use Outlook templates in non-cached mode (more specifically if you use a template created when in non-cached mode) then messages created from that template will all have the same msgid. See discussion at

The suggested workaround for this is to change to using Outlook in Cached mode (see and then recreate the templates (you need to create new templates because the fault is attached to the template). If for some reason cached mode isn’t suitable all the time (for example if you regularly use different desktop machines) you just need to turn it on when creating the template.