Windows Server 2008 and Windows Server 2008 R2 have the ability to protect objects from accidentally being deleted. This feature is extremely helpful in environments where there are numerous Administrators making many changes. This feature may also be useful in a smaller environment with less experienced Administrators.
To use this feature, simply launch Active Directory Users and Computers by typing dsa.msc and press Enter, in the Search Programs and files box, as demonstrated below:
To create a new Organizational Unit and protect it from being deleted, simply right-click on the location for the new OU and name it and remember to select the Protect container from accidental deletion as displayed below:
If you have users or groups that you would like to protect against accidental deletion, you can add this protection. First you will need to turn on the Advanced Features of Active Directory Users and Computers. To accomplish this select the View menu and then select Advanced Features as illustrated below:
Then open the properties of the user or group that you would like to protect. Click on the Object tab and select the Protect object from accidental deletion box. The sample below is of a user object.
Essentially, this feature denies the Everyone group the Delete all child objects permission in the DACL (Discretionary Access Control List). This disallows Everyone, including members of the Administrators group, from deleting any object that is set to be protected from accidental deletion. The permission can be reversed by a user that possesses the Full Control permission to the object. The user would simply remove the check in the box to the left of Protect object from accidental deletion or would remove the Access Control Entry from the DACL. An example of the Access Control Entry is below:
It is a great feature that the system has that will prevent some human errors from occurring. Even though it is possible to delegate the permissions to control who can delete objects, it is still possible for accidental deletions to occur. This feature forces an administrator to re-evaluate whether an object should be deleted. If it should be deleted then the administrator can set the permissions appropriately and delete the object.
- Janet Nichols, Windows Server Expert; MCT, MCSE, MCITP: Enterprise Admin, Server Admin; Windows 7 EDA, MCTS LinkIn with Janet
- Janet Nichols, Windows Server Expert; MCT, MCSE, MCITP: Enterprise Admin, Server Admin; Windows 7 EDA, MCTS LinkIn with Janet
Informative blog. Thanks for sharing these types of information. You explained the step in a very efficient way by the screen shots. It help all of those who are in professional world. All the things are cleared in the same way as you explained above.
ReplyDeletedigital signature