When you create Active Directory OUs, they have the “Protect container from accidental deletion” option enabled by default.
If you try to delete such an OU with the Active Directory Users and Computers snap-in, an error will appear:
Active Directory Domain Services
You do not have sufficient privileges to delete OU_NAME, or this object is protected from accidental deletion.
If you try to delete protected OU using PowerShell, you will get an “Access is denied” error:
Get-ADOrganizationalUnit -identity "OU=California,OU=US,DC=contoso,DC=com" | Remove-ADOrganizationalUnit Remove-ADOrganizationalUnit : Access is denied + CategoryInfo : PermissionDenied: UnauthorizedAccessException
The object deletion protection feature was introduced in the version of Active Directory in Windows Server 2008 (AD Schema objectVersion– 44). This feature is designed to protect Organizational Units and other important Active Directory objects from being accidentally deleted or moved.
When trying to move a protected object, an error will appear:
Active Directory Domain Services
Windows cannot move object OU_NAME because:Access is denied.
Note. The default Active Directory containers (Builtin, Computers, Domain Controllers, Users, System, ForeignSecurityPrincipals, NTDS Quotas) are not protected by default.
You can disable OU deletion protection through the ADUC console:
- Run the dsa.msc snap-in;
- Enable View > Advanced Features in the top menu;
- Find the OU in the Active Directory tree and open its properties;
- Go to the Object tab and uncheck the option Protect object from accidental deletion;
- Now you can delete or move this OU.
You can also change the value of the ProtectedFromAccidentalDeletion attribute of an OU using PowerShell. We’ll use the Get-ADOrganizationalUnit and Set-ADObject cmdlets from the PowerShell Active Directory module to change OU properties. Here is a PowerShell one-liner that will remove protection for the OU and immediately delete the object from the AD:
Get-ADOrganizationalUnit -Identity "OU=California,OU=US,DC=contoso,DC=com" | Set-ADObject -ProtectedFromAccidentalDeletion:$false -PassThru | Remove-ADOrganizationalUnit
To display a list of OUs in Active Directory with the ProtectedFromAccidentalDeletion option disabled, run the command:
Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} |select DistinguishedName
When you enable the Protect object from deletion attribute in the object properties, it changes the ACL of the Active Directory object.
- Open the properties of such an object in AD, go to the Security tab > click Advanced;
- Select the ACL entry for the Everyone principal from the list and click Edit;
- As you can see, deny permissions are enabled for the Delete and Delete subtree operations for the Everyone group.
You can protect from accidental deletion not only OUs, but also other types of objects in Active Directory: users, computer accounts, and groups.
You can enable the Protect object from accidental deletion option with the ADUC console or using PowerShell:
Get-ADObject -Identity 'CN=M-DC02,OU=Domain Controllers,DC=contoso,DC=com' |Set-ADObject -ProtectedFromAccidentalDeletion:$true
Now you won’t be able to delete or move this computer object to another OU.
