Within the past week, our environment suffered a MAJOR Active Directory SNAFU. Someone within our Domain (which holds probably 20,000 users/systems) deleted a somewhat "high-up" OU, which in turn wiped out several hundred important user and workstation accounts. Luckily, our organization (which as a "root OU" within the tree structure) was pretty insulated by the deletion. The department that lost the OU had to have all of their accounts re-created manually which took over 2 days. People were obviously fired because of this and we are still trying to estimate the outage costs.
My boss is now asking me how I can protect our environment from suffering from the same fate. There are several skilled engineers in my group that have very elevated rights within our OU structure and one slip of a mouse could potentially delete 2,500 users.
A little about our environment. We have over 2,500 users spread across the country in 20 or so sites. Each site has (2) AD controllers and are in the same OU structure. We do NOT manage our DC's. This is done by another group. There are probably 200+ production servers throughout our enterprise.
So, my question is, are there any white papers or system guides that we could use as a start for creating our data protection guide? Is there a backup solution that we could implement that would protect our environment OU and if so, what are the steps/best practices for restoration? Should we develop a script that can "scrape" the AD user/system/group information into some sort batch file that can be run to restore the environment?
Has anyone been involved in something similiar and can give me some tips on how they recovered?