Zoho Banner September 2011

One of the improvements to Active Directory Users and Computers (DSA.MSC) in Windows Server 2008 is the "protection from accidental deletion" feature.  This blog article explains what the feature is and how it works under the hood.

Probably the most common cause of restore operations in AD is accidental deletion of objects.  Administrators with fat fingers can fairly easily delete a single object, an OU or an entire OU tree.  Windows Server 2008 provides a handy checkbox that protects an object from accidental deletion.  The screenshot below shows the checkbox selected by default during the creation of a new OU.

 

AccidentalDeleteProtection1

 

The checkbox is subsequently available on the Object tab of the object’s properties, as shown below.  Note that the protection is not just for OUs, it can be set on the Object tab for all object types, including users.

 

AccidentalDeleteProtection6

 

When you attempt to delete an object in Active Directory Users and Computers, you will see the following standard warning.

 

AccidentalDeleteProtection2

 

If you then select Yes, and the object is protected from accidental deletion you will see the error message, "You do not have sufficient privileges to delete <object_name>, or this object is protected from accidental deletion", as shown below.

 

AccidentalDeleteProtection3

 

To go ahead and delete the object you have to go back to the object’s properties, deselect the checkbox on the Object tab and then try the deletion again.

 

So how is this feature implemented behind the scenes?  Well, it’s simply really.  When the checkbox is selected, two new "Deny" access control entries (ACEs) are added to the discretionary access control list (DACL) in the object’s security descriptor.  These explicitly deny everyone permission to delete the object and/or delete the subtree.   The screenshot below shows the entries in the Security -> Advanced view of the object’s properties.   An explicit Deny entry beats an Allow entry, which effectively means the object cannot be deleted by anyone without first removing the ACEs, either by editing the security directly or toggling the accidental deletion checkbox on the Object tab.

 

AccidentalDeleteProtection4

 

It may not represent a radical change to AD like the RODC or Fine-Grained Password Policies, but Microsoft has done a good job in providing a simple-yet-effective method of protecting objects from accidental deletion in Windows Server 2008. 

5 Comments

  1. Ptochos says:

    Thanks for the info. These new features are fun to learn. There is another tibit you may want to add – How to get the “Object” tab.

    I created a new OU, then decided it would be better in another location. I got an “Access Denied” error when I tried to move it. I verified that I was in fact the domain admin.
    Since I couldn’t move it, I figured it would be ok to just delete it and recreate it in it’s new location – That’s when I got the error message that it was protected from accidental deletion. (And Google directed me here)

    There was one more hurdle for me to overcome though; I only had the “General”,”Managed By”, and “COM+” tabs on that OU’s properties.
    I needed to RightClick the OU, select “View – Advanced Features” to get the additional tabs.

  2. Tooky says:

    Thank you for this information. If you want to see “Advanced Features” ,you must click “view” on menubar and selected “Advanced Features” fist.

  3. Open a Socket! » Mixed bag ‘o Nuts says:

    [...] while back I blogged about one of the new features of AD in Windows Server 2008: protection from accidental deletion.  If you were looking for a good supporting anecdote to hasten the deployment of this feature [...]

  4. Mats Hansen says:

    Thank you! It helped me out! :D

  5. Jon says:

    Hello,

    I wonder why I delete users? I did all the steps OU not eliminate but rather Users. What should I do? Regards

Leave a Reply