A small change to Windows Server 2008 can prevent most admins from making this all-too-common lament.
- By Greg Shields
"Aiiiiieeeeee!" -- that's the sound we've all heard before when the tired and overworked Windows administrator accidentally deletes an Organizational Unit full of critical Active Directory objects. I’ve done it before and I'm sure you've done it too. In every case, restoring from a mistake like that is a painful experience -- even if you have rich, third-party AD backup and restore tools in place.
But, with Windows Server 2008, there's a slight change to how objects are administered. This isn't to say that Windows Server 2008 incorporates this change to Active Directory itself. It actually only adds a very handy extra checkbox to a few MMC screens that allow you to protect the object from deletion.
The checkbox, titled either "protect this object from accidental deletion" or "protect this container from accidental deletion," allows you either at the creation of an OU or from the Object tab in an object's properties to protect that object or container from being deleted. The actual mechanics of how this works is no fancy upgrade -- it's merely a new feature to the ADUC MMC console. Checking the box updates the ACL of that object to add the "Deny Delete" and "Deny Delete Subtree" permission to the Everyone group for "This object only." Eliminating the protection is as simple as either removing the checkbox or manually changing the ACL under the covers.
Tech Help—Just An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at [email protected];
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
The really ingenious part of how this new feature is implemented is that it doesn't require a schema upgrade. Because it's a mere permission change under the hood, your Windows Server 2008 boxes can immediately use this protection against your Windows 2003 AD forest.
Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.