Prevent Active Directory Object Deletion

A best practice for restoring Active Directory (AD) is to configure your organizational units (OUs); global groups; computer accounts; printers; and important user accounts (e.g., accounts that start services, your boss's account), shared folders, and contacts so that no one can delete them. You can use various methods to configure AD objects as undeletable, depending on the delegation method you use.

In my company, we applied Deny permissions to AD objects in the top-level OUs, then allowed inheritable permissions from the parent to propagate to lower-level objects. To use this method, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and select View, Advanced from the menu. Select the Security tab of the AD object you want to protect against accidental deletion, and click Advanced. Select the Permissions tab, click the word NAME to sort permissions by name, then scroll to the top of the list. Double-click the first user or group in the list that has the Delete Object permission for the object you want to protect or Full Control of the object. Depending on the type of AD object and the AD tree level, set the Apply Onto Field option to This Object Only or This Object And All Child Objects. Click Deny for the Delete permission you want to restrict (e.g., delete OU objects, delete printer). Repeat these steps until no user or Global Catalog (GC) has permission to delete any objects you're trying to protect.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.