Protecting from Accidental Deletion (or not)

An interesting conversation came up today regarding the Active Directory feature "Protect from accidental deletion". What does this actually mean?

So, the good news is that any object in AD, being OUs, users, groups, you name it - If it's important to you or your organization, you can go into the Object tab (advanced features) and select the checkbox.

So, what does clicking the checkbox mean? First and foremost, "Protect from accidental deletion" doesn't mean "never be able to delete". But, a determined admin can delete these objects - where there's a will, there's a way.

3 fun facts on this feature:
- Checking the box “Protect object from accidental deletion” means a special “deny delete and delete subtree” permission is added to the Everyone Principal.
- When an admin tries to delete the object, a message will pop about “not having sufficient permissions”.
- By deleting the deny special permission, the object is no longer “protected” and the admin can delete the object with no questions asked (other than “Are you sure”).

Hope this helps demystify what this feature does and how it works.

— If you like my blogs, please share it on social media, rate it, and/or leave a comment. —

Comments

• Anonymous
  April 04, 2018
  Thanks - that's what I thought would happen. Will using the checkbox also prevent modifying the 'member of' entries? Or for that matter, any info on other tabs?
  • Anonymous
    April 16, 2018
    @Jim, This feature shouldn't change the behavior other than removing the ability for people to delete these entries. Remove the "Everyone Deny Delete" and essentially the object is eligible for deletion. Modify doesn't require a delete.