...Because someone's gotta tell the story...


To return to the main Blog List, click Full Blog Listing.


Active Directory

Protecting from Accidental Deletion (or not)

Wednesday, August 23, 2017 in Active Directory (Views: 1087)
An interesting conversation came up today regarding the Active Directory feature "Protect from accidental deletion". What does this actually mean?

So, the good news is that any object in AD, being OUs, users, groups, you name it - If it's important to you or your organization, you can go into the Object tab (advanced features) and select the checkbox.

So, what does clicking the checkbox mean? First and foremost, "Protect from accidental deletion" doesn't mean "never be able to delete". But, a determined admin can delete these objects - where there's a will, there's a way.

3 fun facts on this feature:
- Checking the box “Protect object from accidental deletion” means a special “deny delete and delete subtree” permission is added to the Everyone Principal.
- When an admin tries to delete the object, a message will pop about “not having sufficient permissions”.
- By deleting the deny special permission, the object is no longer “protected” and the admin can delete the object with no questions asked (other than “Are you sure”).

Hope this helps demystify what this feature does and how it works.


Related Blogs You May Be Interested In:

To leave a comment, please log in and/or register.