Windows 2008 AD new feature, “PROTECT OBJECT FROM ACCIDENTAL DELETION”.

Windows 2008 AD new feature, “PROTECT OBJECT FROM ACCIDENTAL DELETION” .

Windows Server 2008 has a new feature, which allows you to protect objects from accidental deletion. You can access this feature in GUI. It is possible in earlier Windows Active directory but you had to use DSACLS to ACL the AD objects. So here is how you protect objects from accidental deletion in Windows Server 2008?

Open ADUC and switch to Advanced View, right click properties of the object, Object-Tab – you can see the new checkbox "Protect Object from accidental deletion".

By default in Windows 2008, OUs created in ADUC are protected. However, if the OU is created before you migrated/upgraded to windows 2008  domain the OUs are not protected. You can achieve the similar feat in Windows 2003 or earlier domain by modifying the Security-Descriptor of the object and Deny Everyone to delete and delete subtree.

You can use DSACLS to protect an OU. The following command will produce the desired result.

dsacls ou=Msusers,dc=microsoft,dc=local /d Everyone:SDDT

The following command protects all OUs in your domain from accidental deletion.

for /f "tokens=*" %i in ('dsquery ou -limit 0') do dsacls %i /d everyone:SDDT