Those of you running Domain Controllers with full installations of Windows Server 2008 R2 or are managing Windows Server 2008 R2-based Domain Controllers using the Remote Server Administration Tools (RSAT) on Windows 7, might have seen the following configuration warning in the Active Directory Best Practice Analyzer (AD BPA):

About the Protect from Accidental Deletion functionality

In Active Directory, Organizational Units can be protected from accidental deletion (reads: using the del key in the wrong place at the wrong time). This way these objects cannot be deleted, unless the protection is removed. This Active Directory feature was first introduced in Windows Server 2008.

Organizational Units protected by default

Basically, according to the Microsoft best practices, All OUs in an Active Directory domain should be protected from accidental deletion. Unfortunately, however, after a clean install or an upgrade not all Organizational Units are protected:

• Default OUs and containers
  The default Organizational Units and containers are not protected by default:
  • the Builtin container
  • the Computers container
  • the Domain Controllers Organizational Unit
  • the ForeignSecurityPrincipals container
  • the LostandFound container
  • the Managed Service Accounts container
  • the Program Data container and its underlying containers
  • the System container and its underlying containers
  • the Users container
  • the NTDS Quotas container
          
• Legacy OUs and containers
  Only Organizational Units and Containers that were initially created using the Windows Server 2008, Windows Server 2008 R2, Windows Vista or Windows 7 Active Directory Users and Computers, Active Directory Administrative Center MMC Snap-ins  or through the PowerShell Active Directory module are protected by default. (the option to Protect from Accidental Deletion is on by default in the dialog screen for creating an Organizational Unit)

Protecting Organizational Units

It is wise to protect all Organizational Units from accidental deletion. To search for unprotected Organizational Units, use the following two PowerShell commands:

Import-Module ActiveDirectory

Get-ADOrganizationalUnit -filter {name -like "*"} -Properties ProtectedFromAccidentalDeletion | format-table Name,ProtectedFromAccidentalDeletion

These commands will produce a table with two columns. The first column lists the names of the Organizational Units in the Active Directory environment. The second column uses true and false as answers to whether the Organization Unit is protected from accidental deletion or not.

In a clean Active Directory environment, typically, the Domain Controllers Organizational Unit would need the Protect object from accidental deletion property set to true to adhere to the Microsoft Best Practices. After you enable the Advanced Features from the View menu in Active Directory Users and Computers (dsa.msc), you can clearly see this on the Object tab of the OU:

Under the hood, what happens is:

• the Delete Access Control Entries (ACEs) will be denied on the object itself
• the Delete Child Access Control Entries (ACEs) will be denied on the parent object

To protect the Domain Controllers Organizational Unit (and any other unprotected Organizational Units), use the following two PowerShell commands:

Import-Module ActiveDirectory

Get-ADOrganizationalUnit -filter {name -like "*"} -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Protecting containers

The Active Directory Best Practices Analyzer only checks the accidental deletion prevention on Organizational Units in an Active Directory environment, while the default containers might also contain important Active Directory objects.

Not to worry though, because accidentally deleting containers won’t a common occurrence:

• In Active Directory Users and Computers and the Active Directory Administrative Console, you cannot create or delete containers. Also, pressing the Del key with a container selected has no effect. The commands are simply not present.
• Although, in ADSI Edit (and other more direct Active Directory manipulation tools) the option to delete containers is more than present, using this option results in an error:

This is, in my opinion, the reason why the Active Directory Best Practices Analyzer doesn’t need to check the Protect from Accidental Deletion property on Active Directory containers and why, when checking with the Advanced Features turned on in Active Directory Users and Computers, these objects do not have the Protect from Accidental Deletion box selected.

Concluding

The Protect Organizational Units (OUs) from Accidental Deletion feature is a valuable addition to Active Directory. You will be notified through the Active Directory Best Practices Analyzer, when an Organizational Unit (OU) does not have this property set to true.

However, you will not receive a notice when containers are unprotected. The Active Directory Best Practices Analyzer does not check this. You don’t need to protect this kind of object, because other means are in place to keep you from (accidentally) deleting them.