Solved

Disable drag and drop for ADUC Server 2008

Posted on 2014-04-25
6
798 Views
Last Modified: 2014-04-26
Hi all, i know there is a hot fix for this for 2003, but how do you disable this for 2008 + R2

thanks
0
Comment
Question by:cwstad2
  • 3
  • 3
6 Comments
 
LVL 7

Expert Comment

by:Delete
ID: 40024214
What exactly are you trying to prevent?

Are you talking about disabling drag and drop within ADUC?  If so then in ADUC go to View and turn on Advanced Features.  Once that is on then you can select an object in ADUC and go into it's properties, then go to the Object tab and check the "Protect object from accidental deletion" check box.

If you want to do it across all objects in your Active Directory then that can be done using PowerShell.  Example: Get-ADobject -Filter * -SearchBase “OU=Users,DC=Domain,DC=com” | Set-adobject -ProtectedFromAccidentalDeletion $true
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40024225
Thanks yes, some are not protected. Is there a script to find out which ones arent. Also can you stop the objects being drag and dropped?
0
 
LVL 7

Accepted Solution

by:
Delete earned 500 total points
ID: 40024271
Verify
Get-ADObject -Filter * -Properties * | where {$_.ProtectedFromAccidentalDeletion -eq $false} | select name, objectclass, ProtectedFromAccidentalDeletion

Open in new window


Change (Depending on what you want to change here is one for OU's, Users, Groups, and Computers)
Get-ADObject -filter {(ObjectClass -eq "user")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Open in new window


Get-ADObject -filter {(ObjectClass -eq "group")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Open in new window


Get-ADObject -filter {(ObjectClass -eq "computer")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Open in new window


Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Open in new window



If the Protecte object from accidental deletion box is checked you cannot drag and drop the object as you will get an Access Denied message.  If a user has the proper permissions they can always uncheck this box and the drag and drop the object, however you can restrict permissions to prevent certain users from doing this.  See this article: http://blogs.technet.com/b/abizerh/archive/2009/06/09/preventing-unwanted-accidental-deletions-and-restore-deleted-objects-in-active-directory.aspx

Remember with this box checked you can't delete or move that object until the box is cleared or the permissions modified.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 15

Author Comment

by:cwstad2
ID: 40024597
Excellent information thanks. Is it possible to stop computers and users and groups from being dragged and dropped?
0
 
LVL 7

Expert Comment

by:Delete
ID: 40024617
Both of my previous suggestions will work for all AD objects to include users, groups and computers.

The easiest way is to run the PowerShell commands I provided for each object to check the Protect object from accidental deletion.  Then users will not be able to drag and drop any of those objects without first unchecking that box.

If you don't even want users to be able to uncheck the box then you will need to delegate out the proper permissions as discussed in that link that I provided to block the users you don't want to have that access.  However, you don't want to block all users as your Domain Admins should still retain the permissions to check/uncheck the Protect objects from accidental deletion box.
0
 
LVL 15

Author Closing Comment

by:cwstad2
ID: 40024673
thanks
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now