I’m reading a number of ITPro blogs – you’re never finished learning - and chasing the best keeps yourself on a competitive level. So – I’ve read Jorge’s blog posting on management of the “Protect from Accidental Deletion” feature (http://jorgequestforknowledge.wordpress.com/2012/03/28/managing-the-protect-from-accidental-deletion-option-on-ad-objects-through-powershell/)
He describes the different methods and possibilities to set and unset it using different available tools. I’d like to give this my little twist – but would like to focus on what Jorge has as method : “Adjusting the default security descriptor for OUs”. This is going to be pretty descriptive here.
Before that, let’s just get the basics straight: “Protect from Accidental Deletion” is a feature that was first introduced in the administration tools with Server 2008 R2. It’s basically meant to protect object from being fat-fingered or removed or moved someplace different in the domain tree. What it does is put an Access Control Entry (ACE) on the object that says: “Deny Delete for Everyone”. Even for Domain Administrators. It’s implemented in “Active Directory Users and Computers” and “Active Directory Administrative Console”. So when you create a new OU in either of these two tools, there’ll be a flag you can set to either protect it (set the ACE) or not (don’t set it, people can mess with it).
So far, so good. Now Jorge described a number of ways to set this automatically – but I’d like to go a step further. I’d like to use his method  and deploy it. What it does is pretty easy: we’ve learned that only ADUC and ADAC have this checkbox that would result in the creation of the protective ACE. The modifications Jorge suggests in  force the ACE to be created upon OU creation – every time. What we’re doing here is – we tell Active Directory to put that ACE into the “defaultSecurityDescriptor”, the default Access Control List when creating new objects from type “Organizational Unit”. Like that, not only ADUC and ADAC *can* set it, everything that creates an OU in our Active Directory has that ACE on board.
Note: This guide can also be used to deploy a different standard ACE to the OU object (or any other object). For example, if you think “Protect from accidental deletion” in your case should only apply to helpdesk users, you may substitute the “Everyone” principal with a security group or multiple security groups in the process of following this little guide.
Here’s how we configure it:
- We’ll first create a new OU somewhere with “Protect from accidental deletion”.
- We’ll investigate the OU with ADFind to get the ACL.
- We’ll un-configure “Protect from accidental deletion”.
- We’ll look at the OU with ADFind again and calculate the difference.
- We’ll configure the Schema so that it includes the “Protect from accidental deletion” on its own.
- We’ll update the Schema cache.
The process forsees that we configure an OU with “Protect from accidental deletion”, check that OU’s security descriptor, unconfigure the setting, and check the “afterwards” security descriptor. Comparing the two security descriptors should give us the SDDL representation of exactly what “Protect from accidental deletion” is in SDDL form. From there, it should be easy to implement it so that all OUs can get it.
A number of steps– but they’re easy. Before we start, make sure you read the “Be careful” annotations at the end of the article:
(1) First step is creating an OU. I won’t describe that step – you should know how to do that. Just make sure you’ll create it with ADUC or ADAC from 2008 R2 so that you can set the “Protect from accidental deletion” flag. My OU is located under the domain object and called “ThatNewOU”.
If you already know what the SDDL representation of the “Deny Delete for Everybody” ACE is, you can skip to step (6)
(2) After you’ve created the OU, we’ll go figure out what its ACL looks like. We’ll ask ADFind for that. The command I’m using is:
adfind –b “OU=ThatNewOU,DC=intern,DC=frickelsoft,DC=net” –u firstname.lastname@example.org –up * -rawsddl ntSecurityDescriptor
The command essentially picks that newly created OU as a base object and gets its “ntSecurityDescriptor” attribute. And since I can’t read it as a normal user, I’d tell adfind to bind as the administrator with the password that I’d specify later. The output looks like this:
(3) To compare this output later on, we’ll save it away. What we can do is just pipe the output into a text file by adding “>> sddl-1.txt” to the end.
(4) Now we un-configure “Protect from accidental deletion”. We’ll go into ADUC or ADAC and uncheck the box. That’ll take a minute to replicate. After that, we’ll do another dump. This time, we’ll save it as sddl-2.txt.
(5) Having the two dumps, I use a trick. I would open sddl-1.txt and sddl-2.txt and paste their contents into two separate Word files. You can use your favorite comparison tool – if you have windiff handy, off you go. Word has a fine compare-function, too – and since Word is on a vast majority of machines (not so likely on DCs, but on management boxes or at least your own workstation), we’ll use it here. I save the two documents as sddl-1.docx and sddl-2.docx. After that, I’ll go with the Compare function … and see, this is what “Protect from accidental deletion” is all about:
Word shows the difference of the two dumps in SDDL language that make up the setting “Protect from accidental deletion”. That is what we want to add to the defaultSecurityDescriptor in order to enable the feature for all OUs, no matter where they are created.
(6) Since we have the SDDL string to add now, let’s open ADSIEdit, connect to the Schema NC and look up the Organizational-Unit object. Easiest thing you can do is sort for the “Class” column. “Organizational-Unit” will be a classSchema (an object rather than an attribute). Next, we’ll check the properties of the “Organizational-Unit” object and browse for the “defaultSecurityDescriptor” attribute. Double-Click it.
(7) To be sure and to be able to revert changes, you can save that attribute value, that SDDL string, into a notepad session for later use – or for your documentation. If you have a pretty standard AD, it should be the out-of-the-box ACL. In that case, you could revert back to defaults rather easy. But – we’re messing with a pretty essential thing here – we better save it away. After our “backup”, we insert our “Protect from accidental deletion” SDDL string – right at the beginning after “D:”. Our SDDL addition is the first ACL in parentheses.
(8) Save it. Click OK twice. Back in ADSIEdit, right-click the “Schema” node and select “Update Schema now”. That’ll make sure our change is reloaded on that Domain Controller.
That was it, we’re done. We have now made sure that, no matter how with which tool we created an OU, it’ll have the “Protect from accidental deletion” flag set. That should help prevent folks from fat-fingering/accidentally deleting OUs.
Be careful though: When we’re talking about ALL OUs, it literally means “ALL”. When there are applications or services, provisioning scripts, etc. that run in your environment – and they create and delete OUs as part of their job (either periodically or occasionally) – they will need special care. They will not be able to delete the OUs afterwards ever again as long as the flag is set on the OU. This can cause the script to fail, an application to stop/crash and a service to stop. “Deny Delete to Everyone” means Everyone. Applications, services, scripts and users alike. If you require applications, services etc. to create and delete OUs freely, then setting “Protect from accidental deletion” by default on all OUs not be your solution. Or you need special care for these OU portions and applications and tell applications to change the DACL accordingly.