I’ve recently had to go through the process of restoring a series of OU objects which is not at all fun even with the AD Recycle Bin feature that came along with Windows Server 2008 R2.
It’s easy to make mistakes though but most can be averted with the ‘Protect Object from Accidental Deletion’ flag. In order to toggle this value in the ADUC console select View > Advanced Features.
Once selected the object tab is available which allows you to toggle the object.
Any OUs in the University Active Directory that have been created using the Server 2008/Vista or later AD tools will have the value set by default. Other objects such as users and computers do not get the value automatically.
If you would like to set the property on all OUs or all Objects in given OU then you can run the following commands using the Quest AD Commandlets with appropriate rights:
For OUs only
get-qadobject -sizelimit 0 -type OrganizationalUnit -SearchRoot "OU=MyOU,OU=Departments,DC=campus,DC=ncl,DC=ac,DC=uk" | Add-QADPermission -Deny -Account Everyone -ApplyTo ThisObjectOnly -Rights DeleteTree,Delete
For Computers Only
get-qadobject -sizelimit 0 -type OrganizationalUnit -SearchRoot "OU=MyOU,OU=Departments,DC=campus,DC=ncl,DC=ac,DC=uk" | Add-QADPermission -Deny -Account Everyone -ApplyTo ThisObjectOnly -Rights DeleteTree,Delete
For Everything
get-qadobject -sizelimit 0 -SearchRoot "OU=MyOU,OU=Departments,DC=campus,DC=ncl,DC=ac,DC=uk" | Add-QADPermission -Deny -Account Everyone -ApplyTo ThisObjectOnly -Rights DeleteTree,Delete
REMEMBER TO TEST YOUR SCRIPT FIRST!
If you do use the ‘protect’ feature then you need to be sure that you give everyone who needs it the rights to modify/delete otherwise you’re stuck with it for life if the creator leaves !