Home > Active Directory > How to Protect Active Directory Objects from Accident or intentional Deletion?

How to Protect Active Directory Objects from Accident or intentional Deletion?

Protect Active Directory Object from Accident or intentional Deletion.

Well, what precaution to be taken to protect active directory objects from accident deletion? Just administrators mistakes, domain user can be deleted from domain just couple of seconds.

The “Protect object from accidental deletion” option can be used to prevent deletion.

When “Protect object from accidental deletion” is enabled for a User or OU, Everyone group is denied Delete and Delete Subtree permissions on that object.

With “Protect object from accidental deletion”, permissions are set to deny deletion of AD object ,.If you select this, you won’t be able to delete the object on a quirk.( refer below image )

This setting is not enabled by default on all objects in Active Directory . When creating an object, it needs to be set manually.

How to enable “Protect object from accidental deletion” options for all objects in three steps?

Login in to Domain Controller

Start –All Programs-Administrative tools –Windows PowerShell module

Command 1 : Run below command to enable protection on all active directory users

Get-ADObject -filter {(ObjectClass -eq "user")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Command 2 :Run below command to enable protection any Organizational Unit where the setting is not already enabled

Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Command 3 :Run below command to enable protection for groups

Get-ADObject -filter {ObjectClass -eq "user" -or ObjectClass -eq "group"} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Example :

Screenshot of applying three coomands on DC

By applying above three commands your active directory protected from any accident deletion .

Advertisements
  1. nordstrom.com.co
    June 11, 2013 at 8:09 am

    I wish I had found this article sooner. It would have saved me from the confusing data I had to read on this topic. Thank you for clearing things up for me. I appreciate it.

  2. Kumar
    October 13, 2014 at 7:11 am

    just try this tool, active directory manager
    http://www.adsysnet.com/downloads.aspx

  1. October 11, 2013 at 9:14 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: