Pau Lo
asked on
deleting an OU in AD
I am not an AD admin myself (please keep in mind in your responses), but I am told there is a safeguard feature in AD that prevents "accidental" deletion of an OU? How does the safeguard actually work?
Can I ask what the impact would be if an admin accidentally deleted an OU? And realistically how likely is it that some one could/would delete an OU?
Can I ask what the impact would be if an admin accidentally deleted an OU? And realistically how likely is it that some one could/would delete an OU?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, you can verify that the check mark is there for exiting OU's on the security tab.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So potentially it could stop people logging into AD if the wrong (or OU they were in) OU was deleted? Any other issues?
ASKER
>>If it is an OU containing 10,000 users, not good
Please elaborate for someone new to AD?
Please elaborate for someone new to AD?
Stop people logging in if the User/Computer object is lost,
Stop group policy settings applying if the linked OU is deleted.
Create issues with orphaned mailboxes if you use exchange
lose printer objects (if in use)
if you delete some of the more system related structure you could cause problems with the function of the domain itself (this is unlikely to happen but you never know)
Stop group policy settings applying if the linked OU is deleted.
Create issues with orphaned mailboxes if you use exchange
lose printer objects (if in use)
if you delete some of the more system related structure you could cause problems with the function of the domain itself (this is unlikely to happen but you never know)
Think of an OU as a folder and user objects (Accounts) as files within that folder - if your folder contains 10,000 files and gets deleted it would cause a problem.
An OU can contain AD objects like users, computers, and groups. It is not uncommon for a company to put all their users in one OU. So if the OU that was deleted with all 10,000 users in this example then all accounts would also have been deleted.
Thanks
Mike
Thanks
Mike
Basically, you would lose any thing that resides in that OU until it was restored so it really depends on what is in that OU. If you deleted the System or Builtin OU's it would be worse than just deleting an OU that contains users.
A good product you may want to look into that provides backup of AD as well as many other nice features is Active Administrator: http://www.quest.com/active-administrator/
A good product you may want to look into that provides backup of AD as well as many other nice features is Active Administrator: http://www.quest.com/active-administrator/
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
But if you have good AD backups its just a time thing before everything is OK to recover from the mistake?
Who can/could delete an OU, by mistake or maliciously?
Who can/could delete an OU, by mistake or maliciously?
Any domain admin or someone that has delegated rights can delete an OU. If you have good backups yes you will be able to recover but there will still be downtime and an outage. That is why the protect from accidental deletion is such a great feature.
Thanks
Mike
Thanks
Mike
ASKER
How could such a deletion happen though, is it likely? Is it easily to mistakenly delete an important OU? Or very rare? What would an admin be doing to accidentually delete an entire OU?
Simple example?
You have the following:
PrintersNorth
PrintersSouth
PrintersEast
PrintersWest
The company decides to close the office "East"
The Admin goes to delete PrintersEast but accidentally highlights PrintersWest and hits the delete key. Without the "prevent accidental deletion..." checked the wrong OU could be deleted.
You have the following:
PrintersNorth
PrintersSouth
PrintersEast
PrintersWest
The company decides to close the office "East"
The Admin goes to delete PrintersEast but accidentally highlights PrintersWest and hits the delete key. Without the "prevent accidental deletion..." checked the wrong OU could be deleted.
ASKER
is there any risk if these are just test OU's, i.e. no live production users/groups/computers.
It is rare but I'll tell you a personal story that almost happened to me in 2002. My heart still races thinking about it.
I had a dual monitor setup and had ADUC up. I thought I was off ADUC in another screen and hit the delete key. Then a popup "are you sure you want to delete this OU". I immediately said no but you could see how that would have happened. My mouse focus was still on ADUC....D'OH!!!
I would have turned in my badge and walked out if I would have done that.
I had a dual monitor setup and had ADUC up. I thought I was off ADUC in another screen and hit the delete key. Then a popup "are you sure you want to delete this OU". I immediately said no but you could see how that would have happened. My mouse focus was still on ADUC....D'OH!!!
I would have turned in my badge and walked out if I would have done that.
ASKER
is there any risk if these are just test OU's, i.e. no live production users/groups/computers.
Obviously not as important in a test lab because if an OU is deleted then no "live" users are going to be down. A test lab is where you test all your restores.
Thanks
Mike
Thanks
Mike
Mike: OH!!! That would have been bad. Reminds me of when I sent every job that entered a print queue to vapor world for an entire nights processing at a large financial institution back in the early 80's. That was a bad night.
As to the question. I always consider a test environment as just that. It is like beta testing. I create one and then just hack away to see if I can break it. I just do a backup before I do anything.
As to the question. I always consider a test environment as just that. It is like beta testing. I create one and then just hack away to see if I can break it. I just do a backup before I do anything.