Mark an Active Directory Object as "Read-Only"?

views:

231

answers:

Mark an Active Directory Object as "Read-Only"?

We had a bad day yesterday. One of our Domain Admins deleted an OU containing 700+ users and the same amount of computers as well as assorted other useful things like groups etc.

We restored from a backup, but it wasn't pretty.

I know that ADUC asks you if you're sure etc... but I'd like it if it was not possible to delete this particular OU without going into something like ADSIEdit to set it "allowable" for deletion - thereby not allowing people to delete without actually opening a new app and specifically indicating that "YES - I know what I'm doing". This would have the added benefit of stopping accidental miscoding from deleting critical AD objects.

Any such attribute or method that you folks could think of?

Simply remove the permission to delete things from those unable to get it right. You can give very fine-grained permissions in AD.

There is no "readonly" attribute. That's what the ACLs are for.

Tomalak 2008-10-30 21:00:15

I think we're going to go this route.Basically on the critical objects we're going to add Domain Users with "DENY DELETE" on THIS OBJECT ONLY.If we want to delete it at some point, we then will go in and remove this ACL and delete.

dragonspeed 2008-10-30 22:01:12

Or they'll have ask someone/log on as someone who is not denied deleting.

Tomalak 2008-10-30 22:16:49

You could deny the Delete privalge from Administrators through Delegation at the root level and then you would need to be an enterprise admin to perform deletions. Ensure that no admins are in the Enterprise Admins group for day-to-day usage.

benPearce 2008-10-30 21:01:47

ansaurus

tags:

views:

answers:

Mark an Active Directory Object as "Read-Only"?

related questions