Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

deleting an OU in AD

I am not an AD admin myself (please keep in mind in your responses), but I am told there is a safeguard feature in AD that prevents "accidental" deletion of an OU? How does the safeguard actually work?
 
Can I ask what the impact would be if an admin accidentally deleted an OU? And realistically how likely is it that some one could/would delete an OU?
ASKER CERTIFIED SOLUTION
Avatar of Joseph Moody
Joseph Moody
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also, you can verify that the check mark is there for exiting OU's on the security tab.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

So potentially it could stop people logging into AD if the wrong (or OU they were in) OU was deleted? Any other issues?
Avatar of Pau Lo

ASKER

>>If it is an OU containing 10,000 users, not good

Please elaborate for someone new to AD?
Stop people logging in if the User/Computer object is lost,

Stop group policy settings applying if the linked OU is deleted.

Create issues with orphaned mailboxes if you use exchange

lose printer objects (if in use)

if you delete some of the more system related structure you could cause problems with the function of the domain itself (this is unlikely to happen but you never know)
Think of an OU as a folder and user objects (Accounts) as files within that folder - if your folder contains 10,000 files and gets deleted it would cause a problem.
An OU can contain AD objects like users, computers, and groups.  It is not uncommon for a company to put all their users in one OU.  So if the OU that was deleted with all 10,000 users in this example then all accounts would also have been deleted.

Thanks

Mike
Basically, you would lose any thing that resides in that OU until it was restored so it really depends on what is in that OU.  If you deleted the System or Builtin OU's it would be worse than just deleting an OU that contains users.

A good product you may want to look into that provides backup of AD as well as many other nice features is Active Administrator:  http://www.quest.com/active-administrator/
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo

ASKER

But if you have good AD backups its just a time thing before everything is OK to recover from the mistake?

Who can/could delete an OU, by mistake or maliciously?
Any domain admin or someone  that has delegated rights can delete an OU.   If you have good backups yes you will be able to recover but there will still be downtime and an outage.   That is why the protect from accidental deletion is such a great feature.

Thanks

Mike
Avatar of Pau Lo

ASKER

How could such a deletion happen though, is it likely? Is it easily to mistakenly delete an important OU? Or very rare? What would an admin be doing to accidentually delete an entire OU?
Simple example?

You have the following:

PrintersNorth
PrintersSouth
PrintersEast
PrintersWest

The company decides to close the office "East"

The Admin goes to delete PrintersEast but accidentally highlights PrintersWest and hits the delete key.  Without the "prevent accidental deletion..." checked the wrong OU could be deleted.
Avatar of Pau Lo

ASKER

is there any risk if these are just test OU's, i.e. no live production users/groups/computers.
It is rare but I'll tell you a personal story that almost happened to me in 2002.  My heart still races thinking about it.

I had a dual monitor setup and had ADUC up.  I thought I was off ADUC in another screen and hit the delete key.  Then a popup "are you sure you want to delete this OU".   I immediately said no but you could see how that would have happened.  My mouse focus was still on ADUC....D'OH!!!

I would have turned in my badge and walked out if I would have done that.
Avatar of Pau Lo

ASKER

is there any risk if these are just test OU's, i.e. no live production users/groups/computers.
Obviously not as important in a test lab because if an OU is deleted then no "live" users are going to be down.  A test lab is where you test all your restores.

Thanks

Mike
Mike:  OH!!!  That would have been bad.  Reminds me of when I sent every job that entered a print queue to vapor world for an entire nights processing at a large financial institution back in the early 80's.  That was a bad night.

As to the question.  I always consider a test environment as just that. It is like beta testing. I create one and then just hack away to see if I can break it.  I just do a backup before I do anything.