Here in this post, I am *NOT* going to talk about the protection of active directory from external/internal intruders rather I would be talking about protecting Active Directory from Accidental Delete/Move/modify operations.
Sounds weird? But you have to believe that every organization faces the problem of accidental OU/Object deletions by privileged users (I mean administrators mostly). Though it is not intentional, but the damage costs the company. And again, sysadmin is the one who has to break their heads for proper restoral of objects or need to depend on costly restoral software’s.
So, in this post, I will take you through procedures for protecting an OU from moving and deleting
HIGH-ALERT: THIS PROCEDURE IS CONTAINING DENY PERMISSIONS FOR EVERYONE TO ACTIVE DIRECTORY OBJECTS. SO THE READER/FOLLOWERS OF THE DOCUMENT SHOULD BE MUCH CAREFUL WHILE FOLLOWING THE STEPS. AND I CANNOT GUARANTEE THAT IT WORKS IN THE SAME WAY AS I DESCRIBED AND IT DEPENDS ON YOUR AD INFRASTRUCTURE. USE THIS AT YOUR OWN RISK. I AM (SITARAM PAMARTHI) NOT RESPONSIBLE FOR ANY DAMAGES CAUSED BECAUSE OF THIS POST.
Protect from Deletion.
- Open dsa.msc(a.k.a Active Directory Users and Computers) and select the properties of Organization Unit you want to protect
- Switch to Security Tab and click Advanced to get advanced security settings page
- Click on ADD and type Everyone and then click OK to close the window
- On permissions entry page, select this object only from Apply onto drop down box and select deny option (or check box) for DETELE and DELETE SUBTREE permissions
- Click OK to come out of permissions entry page(click Yes for the warning you message you receive explaining the deny functionality) and click OK on Advanced Security page and OU properties page.
- This completes OU protection process from Deletion
Refer to this TechNet page for details on protection and in future if you want to really delete the OU which is protected, you need to follow the Remove protection procedure which is described in same TechNet page
Protect from Moving
We can deal with AD permissions similar to Deletion operation for blocking moving, but I don’t suggest that because of complexity involved in doing it. Rather, I would just disable the drag-drop functionality in dsa.msc to achieve this. I think this should suffice the requirement of protecting from moving. If any admin really wants to move OU, he can right click and select move operations.
I don’t want to describe steps here, but I will point to this KB article which is very straight forward.
Tags: prevent OUs from deletion, protect OU’s in active directory, prevent OUs from moving