Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory

Preventing Unwanted/Accidental deletions

Windows 2003

Use Delegation to restrict the deletion activity, to only selected Admins.

· Create group which contains users, who you want should NOT have the delete permission of set of objects in AD.

· Deny those group permission to Delete and Delete Subtree permissions on specific organizational units (OUs) that may contain user accounts, computer accounts or security groups in Active Directory.

· You should also remove the Delete All Child Objects permission on the parent container of an OU that you want to protect.

Guarding Against Accidental Bulk Deletions in Active Directory

In Windows 2008

In Windows Server 2008, the Active Directory Users and Computers snap-in provides the Protect object from accidental deletion” option. When enabled, Protect object from accidental deletion implements the Deny delete subtree permission. When you enable Advanced Features on the View menu, the Protect object from accidental deletion option is available on the Object tab. You can open the Properties page for each container in the domain and enable this option.

Use this option to protect all other containers up to the domain level. Good candidates for protection are containers that store Group Policy objects (GPOs) and Active Directory–integrated Domain Name System (DNS) zones. When you enable the Protect object from accidental deletion option, neither the container nor any child object can be deleted by any administrator or other user. An administrator with the right to log on locally to a domain controller and the right to open Active Directory Users and Computers can enable or disable the setting.


· At least One Windows 2008 DC in the domain.

· The “Protect object from accidental deletion” can only be enabled or disabled using the Active Directory Users and Computers snap-in in Windows 2008.

· When “Protect object from accidental deletion” is enabled for a User or OU, Everyone group is denied Delete and Delete Subtree permissions on that object.

· With “Protect object from accidental deletion”, no administrator would be able to delete that object unless and administrator disables/unchecks “Protect object from accidental deletion” on that object again.

Windows Server 2008 Protection from Accidental Deletion

To restore deleted objects in AD, within the tombstone lifetime period (Windows 2003/2008)

Plan 1

· NON-Authoritative restore of a previous system state backup, that has the object that needs to be restores.

· Use NTDSutil to increase the USN of the object we want to restore, i.e. do an Authoritative Restore of the object.

· Replicate the authoritative objects to the other DCs in domain.

Performing an Authoritative Restore of Active Directory Objects

Plan 2

· Use tools like ADRestore to get back a recently deleted object, within the tombstone lifetime.

How to restore deleted user accounts and their group memberships in Active Directory

In Windows 2008 R2

The “Protect object from accidental deletion” option can be used to prevent deletion.

In case the deletion takes place, the object can be recovered with all its attributes using the new Recycle Bin for Active Directory feature.

When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved, and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across the domains.

This feature requires the Forest functional level to be Windows 2008 R2.

Active Directory Recycle Bin Step-by-Step Guide

- Abizer