Deleting an OU

Hi Vlad Varga,

To delete the nested OU, you’ll need to open Active Directory Users and Computers (ADUC), navigate to the parent OU, right-click the child OU you want to remove, and select “Delete.” If there are objects inside the OU, you’ll be prompted to confirm their removal as well. Please make sure you’ve backed up or moved any accounts or groups you want to keep before proceeding.

As for privileges, you’ll need Domain Admin rights or equivalent delegated permissions to perform this action. If your account doesn’t currently have those rights, you’ll need to request elevation from your AD administrator or ensure you’re logged in with an account that has full control over the directory structure.

It’s also a good practice to verify permissions by checking the OU’s properties under the Security tab in ADUC. This will confirm whether your account has the necessary rights to delete or modify the OU.

I hope the response provided some helpful insight. If this answer is helpful, please don’t forget to hit “Accept Answer”.

Jason.

To delete the child OU and ensure sufficient privileges, use an account that has (or is delegated) the necessary rights on that OU and its parent.

1. Ensure appropriate permissions
   • In Active Directory, OU administration is typically delegated. The forest or domain owner (service administrator) can grant a group or user rights over a specific OU or subtree.
   • To gain full privilege to delete the child OU, a service administrator (for example, a domain admin) must:
     • Place the administrator(s) into a group.
     • Place the objects to be controlled into an OU.
     • Delegate administrative tasks (including delete) for that OU to that group.
   • Delegation can be as broad as full control of all objects in the OU or as narrow as specific operations on specific object types.
2. Delete the child OU with PowerShell (if permissions allow)
   • Use the ActiveDirectory PowerShell module:

          Remove-ADOrganizationalUnit -Identity "OU=ChildOU,OU=ParentOU,DC=domain,DC=com" -Recursive
     

   • -Recursive is required if the OU has child objects.
   • If the OU is protected from accidental deletion (ProtectedFromAccidentalDeletion = $true), the cmdlet returns a terminating error. In that case, clear the protection (for example, via ADUC or by adjusting ACEs) before running the command again.
3. Protect or unprotect OUs from accidental deletion
   • To prevent accidental deletion or movement of OUs, Deny ACEs can be added:
     • On the parent OU: DENY DELETE CHILD.
     • On the OU itself: DENY DELETE and DELETE TREE.
   • These protections can be configured using tools such as Active Directory Users and Computers, ADSIEdit, LDP, or DSACLS.
   • In ADUC (Windows Server 2008 and later), there is a Protect object from accidental deletion / Protect container from accidental deletion checkbox on the Object tab (Advanced Features must be enabled). Clearing this protection allows deletion when appropriate.
4. Deleting via ADUC
   • In Active Directory Users and Computers:
     • Enable Advanced Features.
     • Right-click the child OU → Properties → Object tab.
     • If Protect object from accidental deletion is checked, clear it.
     • Right-click the child OU → Delete.
   • If access is denied, a higher-level administrator must adjust delegation or ACEs as described above.

References:

• Delegating Administration by Using OU Objects
• Remove-ADOrganizationalUnit
• How to restore deleted user accounts and their group memberships in Active Directory
• "Access Denied" error occurs but all child objects under protected OU are deleted in Windows 7 or Windows Server 2008 R2

Hi Vlad Varga,

I’m following up to check whether the issue has been resolved. Feel free to reply if you need further information. If the information provided was helpful, please click "Accept Answer" to help others in the community. Thank you!

Hi Vlad Varga,
If you cannot delete the OU, the most common reason is that “Protect object from accidental deletion” is enabled.

Try this:

1. Open Active Directory Users and Computers

Enable:

View → Advanced Features

Right-click the OU → Properties

Go to Object tab

Uncheck:

  **Protect object from accidental deletion**
  
  Apply changes and try deleting again.
  

To get full permissions, your account usually needs:

Domain Admin or

delegated permissions on that OU.

If permissions are still denied, check the Security tab of the OU and verify your account has Full Control.If you cannot delete the OU, the most common reason is that “Protect object from accidental deletion” is enabled.

Try this:

Open Active Directory Users and Computers

Enable:

View → Advanced Features

Right-click the OU → Properties

Go to Object tab

Uncheck:

  **Protect object from accidental deletion**
  
  Apply changes and try deleting again.
  

To get full permissions, your account usually needs:

Domain Admin
or

delegated permissions on that OU.

If permissions are still denied, check the Security tab of the OU and verify your account has Full Control.
If my answer is useful for you, please hit Accept the answer to support me.

Thank you so much,