A: Accidental changes like deleting an OU that contains many objects are fairly hard to undo in AD. Ideally, delegated administrators shouldn't be granted the AD rights to delete OUs or other sensitive objects, but even domain administrators sometimes have fat fingers.

In Windows Server 2008, Microsoft introduced a new option in the Active Directory Users and Computers (ADUC) Microsoft Management Console snap-in to prevent accidental object deletion. There's a new check box in the object properties on the object tab called Protect object from accidental deletion. Under the hood, this box sets two simple Deny access control entries on the object you want to protect:

• Everyone – Delete
• Everyone – Delete Subtree

If you're familiar with the AD security model, you can apply the same permissions in an existing Windows 2000 or Windows Server 2003 AD forest.

• Q: How can I delegate the right to unlock locked Active Directory (AD) user accounts?
• Q. How do I create the Systems Management container in Active Directory (AD)?
• Organize Your Active Directory Objects
• Active Directory Enhancements: OR What Would Elvis Do?