What does the Protect object from accidental deletion setting in Windows Server 2008 Active Directory actually do?

Windows Server 2008 Active Directory introduced a setting called Protect object from accidental deletion on all directory objects:

040309_1011_Whatdoesthe1

This was implemented to avoid accidentally deleting objects from the directory. OUs have this setting set by default. But what does it actually do?

When this setting is set a Deny access control entry (ACE) is added to the security descriptor of the object (“DELETE” & “DELETE TREE”) and a Deny access control entry (ACE) is added to the security descriptor of the PARENT of the object (“DELETE CHILD”). The security principal associated with these ACEs is Everyone, and they apply to This object only.

So if we select to protect the OU company.com/Unit/Usersfrom deletion the following will happen in the directory:

  • The UsersOU itself will get the “DELETE” and “DELETE TREE” DENY ACE set.
  • The parent of Users, in this case the OU Unit, will get the “DELETE CHILD” DENY ACE set.

Quried with DSACLS.EXE this will look like this:

For the Users OU:

dsacls.exe “OU=Users,OU=Unit,DC=company,DC=com”
Owner: COMPANYDomain Admins
Group: COMPANYDomain Admins

Access list:
Deny  Everyone                        SPECIAL ACCESS
DELETE
DELETE TREE

For the Unit OU (the parent of Users):

dsacls.exe “OU=Unit,DC=company,DC=com”
Owner: COMPANYDomain Admins
Group: COMPANYDomain Admins

Access list:
Deny  Everyone                        SPECIAL ACCESS
DELETE
DELETE CHILD
DELETE TREE

If you want to set these ACEs yourself you can use DSACLS.EXE:

For the Users OU:

DSACLS “OU=Users,OU=Unit,DC=Company,DC=Com” /D “Everyone:SDDT”

For the Unit OU (the parent of Users):

DSACLS “OU=Unit,DC=Company,DC=Com” /D “Everyone:DC”

If your are still running Windows 2000 or Windows Server 2003, I highly recommend making this part of your standard steps for creating new OUs. You can also change the Active Directory Schema so that the ACEs are set by default when creating new objects. When I figure out how that is done I will update this post.

Leave a comment

Your email address will not be published. Required fields are marked *