Locking Down the AD, How do you remove DELETE
Hello,
I had a major issue last night, one of my administrators deleted close to 2000 accounts. How can I remove the ability for all administrators to DELETE anything and just give all AD Control to a seperate Group ??
I looked at Delegate Control but Add and Delete where in the same area... I just want to remove delete.
Thanks
Josh
I had a major issue last night, one of my administrators deleted close to 2000 accounts. How can I remove the ability for all administrators to DELETE anything and just give all AD Control to a seperate Group ??
I looked at Delegate Control but Add and Delete where in the same area... I just want to remove delete.
Thanks
Josh
Hello,
If you open AD Users and computers > click 'View' > make sure 'Advanced Features' is checked
Now you can right click on an OU or the domain root and select properties > click the 'security' tab
Here you can can look at the permissions and change them if necessary
If you open AD Users and computers > click 'View' > make sure 'Advanced Features' is checked
Now you can right click on an OU or the domain root and select properties > click the 'security' tab
Here you can can look at the permissions and change them if necessary
Hi dgriffit55,
if you have some tool of an admin running around, i would piss off his access to AD full stop, add and delete are part of the same delegated task but he doesnt deserve access to either. I doubt it was a mistake...its kind of hard to mistakingly delete 2000 accounts, have you got a backup you can restore from?
if you have some tool of an admin running around, i would piss off his access to AD full stop, add and delete are part of the same delegated task but he doesnt deserve access to either. I doubt it was a mistake...its kind of hard to mistakingly delete 2000 accounts, have you got a backup you can restore from?
ASKER
Hi Jay Jay,
I have Veritas 10d however I was not able to restore just the AD. It wanted to restore the complete system state, I am currently talking to Veritas to find out why I could not do that. I am not sure if I should be using a different AD Backup tool or not.
Thanks
Josh
I have Veritas 10d however I was not able to restore just the AD. It wanted to restore the complete system state, I am currently talking to Veritas to find out why I could not do that. I am not sure if I should be using a different AD Backup tool or not.
Thanks
Josh
Have you looked at TheCleaner's recommendation?
Here are more articles concerning restoring AD objects but I would try his suggestion first.
How to restore deleted user accounts and their group memberships in Active Directory
http://support.microsoft.com/?kbid=840001
ADRestore
http://www.sysinternals.com/Utilities/AdRestore.html
Here are more articles concerning restoring AD objects but I would try his suggestion first.
How to restore deleted user accounts and their group memberships in Active Directory
http://support.microsoft.com/?kbid=840001
ADRestore
http://www.sysinternals.com/Utilities/AdRestore.html
ASKER
Hi Mdiglio,
This is great info, however is their any easy Backup / Restore programs that you would suggest for AD ?
Josh
This is great info, however is their any easy Backup / Restore programs that you would suggest for AD ?
Josh
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
veritas is usually pretty reliable, but i would follow TheCleaners advice with this, i havent used the tool, but am wise enough to know, that if he suggests it, give it a go
I don't really know the answer to this, maybe another EE expert will. However, I would suggest you download Quest's free Object Restore for AD : http://www.quest.com/object_restore_for_active_directory/
It gives you a nice easy to use GUI to recover deleted AD items (based on tombstoning).
Makes it much less of a "CRAP!!!" situation when a rogue admin deletes something they shouldn't have.