Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 259
  • Last Modified:

deleting an OU in AD

I am not an AD admin myself (please keep in mind in your responses), but I am told there is a safeguard feature in AD that prevents "accidental" deletion of an OU? How does the safeguard actually work?
 
Can I ask what the impact would be if an admin accidentally deleted an OU? And realistically how likely is it that some one could/would delete an OU?
0
pma111
Asked:
pma111
  • 6
  • 5
  • 5
  • +4
6 Solutions
 
Joseph MoodyBlogger and wearer of all hats.Commented:
The safeguard (protection against accidental deletion) works by denying everyone the ability to delete.

Deleting an OU can be very bad! It all depends on what is in the OU that determines how bad it is. If it is an OU containing 10,000 users, not good. If it is a test OU, no big deal.

http://deployhappiness.com/prevent-accidental-deletion/
0
 
pony10usCommented:
When creating an OU you have a checkbox to prevent accidental deletion.

Screen shot
You can restore a deleted AD item however it is best to do what you can to prevent the "accident" before hand.
0
 
Mike KlineCommented:
yes there is a "prevent from accidental deletion" feature that was introduced to 2008  via the GUI on OUs

http://blogs.technet.com/b/askds/archive/2013/06/04/two-lines-that-can-save-your-ad-from-a-crisis.aspx

Notice you can also turn that on for all objects but its on for OUs by default.   If an admin accidentally deleted on OU you would need to restore the OU and all objects.  That is much easier if you have the AC recycle bin enabled (2008 R2 forest functional feature).   If you don't have the recycle bin an enabled you would need to use backups and an authoritative restore.

Thanks
Mike
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
pony10usCommented:
Also, you can verify that the check mark is there for exiting OU's on the security tab.
0
 
LHT_STCommented:
When selected the "prevent accidental deletion" checkbox inserts a deny entry into the ACL for that object on the delete permission.

Accidents can happen and of course malicious intent can cause an OU to be deleted however this is not a regular occurrence.

The impact would be down to your organisation - for example we have trees of ous in our organisation (mainly for printing etc)

Sites -
          SITE1
                   Department 1
                                          Printer1
                                          Printer2
                   Department 2

if we were to delete the Printer1 OU this would obviously cause an outage on the people attached to the printer but its not a catastrophe, if we were to delete the SITE1 OU this would be a big problem as we would have lost all departments, users/computer objects etc.

You can guard against things with some backup technologies - for instance Netbackup can use Granular backup and restores to back up everything down to the computer/user object level meaning if someone did accidentally delete an OU it can be restored.
0
 
Juan OcasioCommented:
There are settings  (Acess Control Entries) that will allow you to either deny deletion of OU.  The OU in itself is a contain, but once GPOs are applied, they will do specific things.  If an OU is deleted with specifics GPOs applied (for example, anyone in the operations GPO would have a specific desktop), then anything that GPO specified would be deleted.
0
 
pma111Author Commented:
So potentially it could stop people logging into AD if the wrong (or OU they were in) OU was deleted? Any other issues?
0
 
pma111Author Commented:
>>If it is an OU containing 10,000 users, not good

Please elaborate for someone new to AD?
0
 
LHT_STCommented:
Stop people logging in if the User/Computer object is lost,

Stop group policy settings applying if the linked OU is deleted.

Create issues with orphaned mailboxes if you use exchange

lose printer objects (if in use)

if you delete some of the more system related structure you could cause problems with the function of the domain itself (this is unlikely to happen but you never know)
0
 
LHT_STCommented:
Think of an OU as a folder and user objects (Accounts) as files within that folder - if your folder contains 10,000 files and gets deleted it would cause a problem.
0
 
Mike KlineCommented:
An OU can contain AD objects like users, computers, and groups.  It is not uncommon for a company to put all their users in one OU.  So if the OU that was deleted with all 10,000 users in this example then all accounts would also have been deleted.

Thanks

Mike
0
 
pony10usCommented:
Basically, you would lose any thing that resides in that OU until it was restored so it really depends on what is in that OU.  If you deleted the System or Builtin OU's it would be worse than just deleting an OU that contains users.

A good product you may want to look into that provides backup of AD as well as many other nice features is Active Administrator:  http://www.quest.com/active-administrator/
0
 
Seth SimmonsSr. Systems AdministratorCommented:
that first comment doesn't make sense; it implies that unless the OU has a large number of objects then it's bad

any OU that has production objects regardless of the quantity is bad if accidentally deleted - computer accounts, user objects, etc.
0
 
pma111Author Commented:
But if you have good AD backups its just a time thing before everything is OK to recover from the mistake?

Who can/could delete an OU, by mistake or maliciously?
0
 
Mike KlineCommented:
Any domain admin or someone  that has delegated rights can delete an OU.   If you have good backups yes you will be able to recover but there will still be downtime and an outage.   That is why the protect from accidental deletion is such a great feature.

Thanks

Mike
0
 
pma111Author Commented:
How could such a deletion happen though, is it likely? Is it easily to mistakenly delete an important OU? Or very rare? What would an admin be doing to accidentually delete an entire OU?
0
 
pony10usCommented:
Simple example?

You have the following:

PrintersNorth
PrintersSouth
PrintersEast
PrintersWest

The company decides to close the office "East"

The Admin goes to delete PrintersEast but accidentally highlights PrintersWest and hits the delete key.  Without the "prevent accidental deletion..." checked the wrong OU could be deleted.
0
 
pma111Author Commented:
is there any risk if these are just test OU's, i.e. no live production users/groups/computers.
0
 
Mike KlineCommented:
It is rare but I'll tell you a personal story that almost happened to me in 2002.  My heart still races thinking about it.

I had a dual monitor setup and had ADUC up.  I thought I was off ADUC in another screen and hit the delete key.  Then a popup "are you sure you want to delete this OU".   I immediately said no but you could see how that would have happened.  My mouse focus was still on ADUC....D'OH!!!

I would have turned in my badge and walked out if I would have done that.
0
 
pma111Author Commented:
is there any risk if these are just test OU's, i.e. no live production users/groups/computers.
0
 
Mike KlineCommented:
Obviously not as important in a test lab because if an OU is deleted then no "live" users are going to be down.  A test lab is where you test all your restores.

Thanks

Mike
0
 
pony10usCommented:
Mike:  OH!!!  That would have been bad.  Reminds me of when I sent every job that entered a print queue to vapor world for an entire nights processing at a large financial institution back in the early 80's.  That was a bad night.

As to the question.  I always consider a test environment as just that. It is like beta testing. I create one and then just hack away to see if I can break it.  I just do a backup before I do anything.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 6
  • 5
  • 5
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now