?
Solved

Disable drag and drop for ADUC Server 2008

Posted on 2014-04-25
6
Medium Priority
?
889 Views
Last Modified: 2014-04-26
Hi all, i know there is a hot fix for this for 2003, but how do you disable this for 2008 + R2

thanks
0
Comment
Question by:cwstad2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 7

Expert Comment

by:Delete
ID: 40024214
What exactly are you trying to prevent?

Are you talking about disabling drag and drop within ADUC?  If so then in ADUC go to View and turn on Advanced Features.  Once that is on then you can select an object in ADUC and go into it's properties, then go to the Object tab and check the "Protect object from accidental deletion" check box.

If you want to do it across all objects in your Active Directory then that can be done using PowerShell.  Example: Get-ADobject -Filter * -SearchBase “OU=Users,DC=Domain,DC=com” | Set-adobject -ProtectedFromAccidentalDeletion $true
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40024225
Thanks yes, some are not protected. Is there a script to find out which ones arent. Also can you stop the objects being drag and dropped?
0
 
LVL 7

Accepted Solution

by:
Delete earned 2000 total points
ID: 40024271
Verify
Get-ADObject -Filter * -Properties * | where {$_.ProtectedFromAccidentalDeletion -eq $false} | select name, objectclass, ProtectedFromAccidentalDeletion

Open in new window


Change (Depending on what you want to change here is one for OU's, Users, Groups, and Computers)
Get-ADObject -filter {(ObjectClass -eq "user")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Open in new window


Get-ADObject -filter {(ObjectClass -eq "group")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Open in new window


Get-ADObject -filter {(ObjectClass -eq "computer")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Open in new window


Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Open in new window



If the Protecte object from accidental deletion box is checked you cannot drag and drop the object as you will get an Access Denied message.  If a user has the proper permissions they can always uncheck this box and the drag and drop the object, however you can restrict permissions to prevent certain users from doing this.  See this article: http://blogs.technet.com/b/abizerh/archive/2009/06/09/preventing-unwanted-accidental-deletions-and-restore-deleted-objects-in-active-directory.aspx

Remember with this box checked you can't delete or move that object until the box is cleared or the permissions modified.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 15

Author Comment

by:cwstad2
ID: 40024597
Excellent information thanks. Is it possible to stop computers and users and groups from being dragged and dropped?
0
 
LVL 7

Expert Comment

by:Delete
ID: 40024617
Both of my previous suggestions will work for all AD objects to include users, groups and computers.

The easiest way is to run the PowerShell commands I provided for each object to check the Protect object from accidental deletion.  Then users will not be able to drag and drop any of those objects without first unchecking that box.

If you don't even want users to be able to uncheck the box then you will need to delegate out the proper permissions as discussed in that link that I provided to block the users you don't want to have that access.  However, you don't want to block all users as your Domain Admins should still retain the permissions to check/uncheck the Protect objects from accidental deletion box.
0
 
LVL 15

Author Closing Comment

by:cwstad2
ID: 40024673
thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question