Q: I want to better protect our Active Directory (AD) user and computer objects against an accidental bulk deletion by an administrator. How can I easily set the Protect object from accidental deletion property for all AD user and computer objects?
A: When the Protect object from accidental deletion property is enabled for an AD object, the object's permissions are automatically set to deny the deletion of the object by the built-in Everyone group. Microsoft introduced this property in Windows Server 2008, and by default, it's enabled only in AD organizational units (OUs). When the property is set, it doesn't propagate down to child objects in the OU—it applies to the OU object only.
You can manually enable the Protect object from accidental deletion property on an AD user or computer object from the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in or the Active Directory Administrative Center GUI. Another way you can enable the property is by running a Windows PowerShell command. With PowerShell, you can even simultaneously enable the property for multiple AD objects. For example, the following command enables it for all AD user and computer objects:
As you can see, this command uses the Get-ADObject cmdlet to get any object with the value "user" in the ObjectClass attribute, which includes all AD user and computer objects. The command then uses the Set-ADObject cmdlet to enable the Protect object from accidental deletion property in those objects. Get-ADObject and Set-ADObject are part of the Active Directory Module for Windows PowerShell, which is installed by default on domain controllers (DCs) running Windows 8 or Windows 7.or Windows Server 2008 R2. You can also install the module on non-domain DCs running Server 2012 or Server 2008 R2, as well as on computers running