A: Accidental changes like deleting an OU that contains many objects are fairly hard to undo in AD. Ideally, delegated administrators shouldn't be granted the AD rights to delete OUs or other sensitive objects, but even domain administrators sometimes have fat fingers.

In Windows Server 2008, Microsoft introduced a new option in the Active Directory Users and Computers (ADUC) Microsoft Management Console snap-in to prevent accidental object deletion. There's a new check box in the object properties on the object tab called Protect object from accidental deletion. Under the hood, this box sets two simple Deny access control entries on the object you want to protect:

  • Everyone – Delete
  • Everyone – Delete Subtree

If you're familiar with the AD security model, you can apply the same permissions in an existing Windows 2000 or Windows Server 2003 AD forest.

Related Reading: