Solved

deleting an OU in AD

Posted on 2013-10-28
22
244 Views
Last Modified: 2013-11-12
I am not an AD admin myself (please keep in mind in your responses), but I am told there is a safeguard feature in AD that prevents "accidental" deletion of an OU? How does the safeguard actually work?
 
Can I ask what the impact would be if an admin accidentally deleted an OU? And realistically how likely is it that some one could/would delete an OU?
0
Comment
Question by:pma111
  • 6
  • 5
  • 5
  • +4
22 Comments
 
LVL 21

Accepted Solution

by:
Joseph Moody earned 84 total points
Comment Utility
The safeguard (protection against accidental deletion) works by denying everyone the ability to delete.

Deleting an OU can be very bad! It all depends on what is in the OU that determines how bad it is. If it is an OU containing 10,000 users, not good. If it is a test OU, no big deal.

http://deployhappiness.com/prevent-accidental-deletion/
0
 
LVL 26

Assisted Solution

by:pony10us
pony10us earned 84 total points
Comment Utility
When creating an OU you have a checkbox to prevent accidental deletion.

Screen shot
You can restore a deleted AD item however it is best to do what you can to prevent the "accident" before hand.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 83 total points
Comment Utility
yes there is a "prevent from accidental deletion" feature that was introduced to 2008  via the GUI on OUs

http://blogs.technet.com/b/askds/archive/2013/06/04/two-lines-that-can-save-your-ad-from-a-crisis.aspx

Notice you can also turn that on for all objects but its on for OUs by default.   If an admin accidentally deleted on OU you would need to restore the OU and all objects.  That is much easier if you have the AC recycle bin enabled (2008 R2 forest functional feature).   If you don't have the recycle bin an enabled you would need to use backups and an authoritative restore.

Thanks
Mike
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
Also, you can verify that the check mark is there for exiting OU's on the security tab.
0
 
LVL 6

Assisted Solution

by:LHT_ST
LHT_ST earned 83 total points
Comment Utility
When selected the "prevent accidental deletion" checkbox inserts a deny entry into the ACL for that object on the delete permission.

Accidents can happen and of course malicious intent can cause an OU to be deleted however this is not a regular occurrence.

The impact would be down to your organisation - for example we have trees of ous in our organisation (mainly for printing etc)

Sites -
          SITE1
                   Department 1
                                          Printer1
                                          Printer2
                   Department 2

if we were to delete the Printer1 OU this would obviously cause an outage on the people attached to the printer but its not a catastrophe, if we were to delete the SITE1 OU this would be a big problem as we would have lost all departments, users/computer objects etc.

You can guard against things with some backup technologies - for instance Netbackup can use Granular backup and restores to back up everything down to the computer/user object level meaning if someone did accidentally delete an OU it can be restored.
0
 
LVL 14

Assisted Solution

by:Juan Ocasio
Juan Ocasio earned 83 total points
Comment Utility
There are settings  (Acess Control Entries) that will allow you to either deny deletion of OU.  The OU in itself is a contain, but once GPOs are applied, they will do specific things.  If an OU is deleted with specifics GPOs applied (for example, anyone in the operations GPO would have a specific desktop), then anything that GPO specified would be deleted.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
So potentially it could stop people logging into AD if the wrong (or OU they were in) OU was deleted? Any other issues?
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
>>If it is an OU containing 10,000 users, not good

Please elaborate for someone new to AD?
0
 
LVL 6

Expert Comment

by:LHT_ST
Comment Utility
Stop people logging in if the User/Computer object is lost,

Stop group policy settings applying if the linked OU is deleted.

Create issues with orphaned mailboxes if you use exchange

lose printer objects (if in use)

if you delete some of the more system related structure you could cause problems with the function of the domain itself (this is unlikely to happen but you never know)
0
 
LVL 6

Expert Comment

by:LHT_ST
Comment Utility
Think of an OU as a folder and user objects (Accounts) as files within that folder - if your folder contains 10,000 files and gets deleted it would cause a problem.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
An OU can contain AD objects like users, computers, and groups.  It is not uncommon for a company to put all their users in one OU.  So if the OU that was deleted with all 10,000 users in this example then all accounts would also have been deleted.

Thanks

Mike
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 26

Expert Comment

by:pony10us
Comment Utility
Basically, you would lose any thing that resides in that OU until it was restored so it really depends on what is in that OU.  If you deleted the System or Builtin OU's it would be worse than just deleting an OU that contains users.

A good product you may want to look into that provides backup of AD as well as many other nice features is Active Administrator:  http://www.quest.com/active-administrator/
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 83 total points
Comment Utility
that first comment doesn't make sense; it implies that unless the OU has a large number of objects then it's bad

any OU that has production objects regardless of the quantity is bad if accidentally deleted - computer accounts, user objects, etc.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
But if you have good AD backups its just a time thing before everything is OK to recover from the mistake?

Who can/could delete an OU, by mistake or maliciously?
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Any domain admin or someone  that has delegated rights can delete an OU.   If you have good backups yes you will be able to recover but there will still be downtime and an outage.   That is why the protect from accidental deletion is such a great feature.

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
How could such a deletion happen though, is it likely? Is it easily to mistakenly delete an important OU? Or very rare? What would an admin be doing to accidentually delete an entire OU?
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
Simple example?

You have the following:

PrintersNorth
PrintersSouth
PrintersEast
PrintersWest

The company decides to close the office "East"

The Admin goes to delete PrintersEast but accidentally highlights PrintersWest and hits the delete key.  Without the "prevent accidental deletion..." checked the wrong OU could be deleted.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
is there any risk if these are just test OU's, i.e. no live production users/groups/computers.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
It is rare but I'll tell you a personal story that almost happened to me in 2002.  My heart still races thinking about it.

I had a dual monitor setup and had ADUC up.  I thought I was off ADUC in another screen and hit the delete key.  Then a popup "are you sure you want to delete this OU".   I immediately said no but you could see how that would have happened.  My mouse focus was still on ADUC....D'OH!!!

I would have turned in my badge and walked out if I would have done that.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
is there any risk if these are just test OU's, i.e. no live production users/groups/computers.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Obviously not as important in a test lab because if an OU is deleted then no "live" users are going to be down.  A test lab is where you test all your restores.

Thanks

Mike
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
Mike:  OH!!!  That would have been bad.  Reminds me of when I sent every job that entered a print queue to vapor world for an entire nights processing at a large financial institution back in the early 80's.  That was a bad night.

As to the question.  I always consider a test environment as just that. It is like beta testing. I create one and then just hack away to see if I can break it.  I just do a backup before I do anything.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now