One of the improvements to Active Directory Users and Computers (DSA.MSC) in Windows Server 2008 is the "protection from accidental deletion" feature. This blog article explains what the feature is and how it works under the hood.
Probably the most common cause of restore operations in AD is accidental deletion of objects. Administrators with fat fingers can fairly easily delete a single object, an OU or an entire OU tree. Windows Server 2008 provides a handy checkbox that protects an object from accidental deletion. The screenshot below shows the checkbox selected by default during the creation of a new OU.
The checkbox is subsequently available on the Object tab of the object’s properties, as shown below. Note that the protection is not just for OUs, it can be set on the Object tab for all object types, including users.
When you attempt to delete an object in Active Directory Users and Computers, you will see the following standard warning.
If you then select Yes, and the object is protected from accidental deletion you will see the error message, "You do not have sufficient privileges to delete <object_name>, or this object is protected from accidental deletion", as shown below.
To go ahead and delete the object you have to go back to the object’s properties, deselect the checkbox on the Object tab and then try the deletion again.
So how is this feature implemented behind the scenes? Well, it’s simply really. When the checkbox is selected, two new "Deny" access control entries (ACEs) are added to the discretionary access control list (DACL) in the object’s security descriptor. These explicitly deny everyone permission to delete the object and/or delete the subtree. The screenshot below shows the entries in the Security -> Advanced view of the object’s properties. An explicit Deny entry beats an Allow entry, which effectively means the object cannot be deleted by anyone without first removing the ACEs, either by editing the security directly or toggling the accidental deletion checkbox on the Object tab.
It may not represent a radical change to AD like the RODC or Fine-Grained Password Policies, but Microsoft has done a good job in providing a simple-yet-effective method of protecting objects from accidental deletion in Windows Server 2008.