Resolve “All OUs in this domain should be protected from accidental deletion” in Windows Server 2012

In the Best Practices Analyzer (BPA), the following warning may popup:

Title: All OUs in this domain should be protected from accidental deletion

Severity: Warning

Problem: Some organizational units (OUs) in this domain are not protected from accidental deletion.

Impact: If all OUs in your Active Directory domains are not protected from accidental deletion, your Active Directory environment can experience disruptions that might be caused by accidental bulk deletion of objects.

Resolution:
Make sure that all OUs in this domain are protected from accidental deletion.

If you just installed AD DS and then ran the BPA Scan to verify everything’s OK, I can assure you these two Organizational Units are causing the warning:

  • Domain Controllers
  • Servers

To "protect an OU from accidental deletion", do the following:

  1. Open Active Directory Users and Computers
  2. Right click the OU that you want to protect from accidental deletion, and click Properties
  3. Go to the tab Object, check "Protect object from accidental deletion" and click OK

addeletion1

If it’s only two OU’s, then setting these manually is OK. However, it’s not efficient having to verify every single OU in an enterprise domain. This may be the right moment to call Powershell to help! πŸ™‚

  1. Open the Active Directory module for Windows Powershell. In Windows Server 2012, you can just hit WIN+R, type powershell and press Enter
  2. Type, or copy paste the following to list all OU’s where the option "Protect object from accidental deletion" is disabled
    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft
  3. Now you know all OU’s you should modify. To do this at once, enter the following command in powershell:
    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
  4. To verify all OU’s are modified, enter this command in powershell:
    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion} | ft

The column ProtectFromAccidentalDeletion should be True in all lines. The screenshot below shows all steps and results.

addeletion2

0 0 votes
Article Rating
Subscribe
Notify of
guest
5 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Josh

Nice, this helped – thanks! πŸ™‚

Tiago Sell

Thanks πŸ™‚ This article helped me!

Brynp

thank you, much clearer than the Microsoft instructions!

Jack

You should mention that in order to see the ‘Object’ tab. You have to check View -> Advanced Features. Thanks for the help.

Vladislav

Thank you!!!
This work perfect to my organisation domain.

5
0
Would love your thoughts, please comment.x
()
x