Unable to prevent OU deletion by Domain Admins?

  • Thread starter Thread starter Josh
  • Start date Start date
J

Josh

I am trying (unsuccessfully) to prevent accidental deletion of several
OUs by our domain admins. For testing purposes, I have done this:

1) Create new OU, removed inheritance of permissions.
2) Removed all groups from the permissions
3) Added Domain Admins with Full Control
4) Explicity set Deny rights for Domain Admins for Delete, Delete
Subtree, and Delete Organizational Object.

Create new user, add user to Domain Admins. Log in with user, and the
OU can be deleted without warning.

The only way I have gotten this to work is by creating a user in the
OU that I want to protect, and setting Deny All rights for the Domain
Admins group on that user. That prevents Domain Admins from deleting
the parent OU, but it is a pretty bad solution...and it doesn't
explain why the Domain Admins can delete the OU when all relevant
deletion ACLs are set to Deny.

Any thoughts?
 
This is probably a case of you have the permission to delete sub-containers
at the parent container level. Just like with NTFS you can delete a folder
and sub-folders and files even if you don't have permissions to the files
themselves.

Either modify the permissions at the domain level (not the recommended
solution) or take Mark's advice and tighten down the members of the domain
admins group. If these guys can't be trusted, they shouldn't have that much
power...


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
 
To set an OU to prevent accidental deletion. As stated previously, Non inherited permissions trump inherited permissions in AD. Domain Admins permissions are always set as non inherited in AD at object creation. Do not modify the existing Domain Admin permissions, simply add the deny.

Apply following three deny permissions to every OU in advanced permission settings on the Object tab:
Permission Object------------------Setting--Apply To**
Delete Organizational Unit Objects--Deny----This Object Only
Delete----------------------------Deny-----This Object Only
Delete Subtree--------------------Deny-----This Object Only

** In your step 4, this will not work if you apply to "This Object and All Child Objects", you must select "This Object Only".

You can appy to Domain Admins or Everyone to ensure it is protected. Note this is only to prevent accidental. Any user with full control or Domain Admin permissions can remove the deny's then delete the OU.

Hope that helps,
Tony
 
Last edited:
Back
Top