Protect your Active Directory from yourself

Another nice feature in Windows Server 2008 (actually it’s a pure GUI automation feature as you could always do this manually through GUI or script)
is the ‘Protect object from accidental deletion’ checkbox on the ‘Object’ tab of objects in AD Users and Computers
What this does is that is adds ‘Deny Delete’ and ‘Deny Delete Subtree’ permissions to the DACL of the object for the ‘Everyone’ group.
So you can’t accidentally delete objects even as an admin.
Especially for OUs and probably also for important groups this can be a nice feature,
as in my experience, an ‘accidental deletion’ can have great impact in a production environment.
And there’s no need to go looking for tools or procedures to restore Groups and Memberships
(which use the backlink and forward link mechanism and can be awkward to restore)
On OUs the checkbox is enabled by default during creation
If you use scrips to create OUs manually you could simulate this by adding the permissions in the script,
for example using the dsacls tool:
dsacls ou=MyRobustOU,dc=lab,dc=local /d Everyone:SDDT

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s