Thursday, 31 July 2008

Windows 2008 Active Directory, deleting OUs

Today I found some new default permissions on Windows 2008 Active Directory Organizational Units (OU). I had created an OU in my nice new Windows 2008 Active Directory to provision servers into. Now that I have created my OU structure I tried to delete my redundant OU and received the error message –

You do not have sufficient privileges to delete MyOUName, or this object is protected from accidental deletion.

So I immediately switched on Advanced Features in Active Directory Users and Computers so that I can access the Security tab of the OU. When I clicked Advanced there was one explicit Deny permission set for Everyone with Special permissions. These Special permissions were Deny Delete and Deny Delete Subtree. Of course by un-checking these options I could delete the OU.

I think this is an awesome subtle improvement. I have actually worked for a company were a user with Administrative permissions accidently deleted an enormous OU with thousands of users, computers, printers and customisations. By denying delete permissions to Everyone by default is means that you can no longer accidently delete an OU. You need to be fully aware of what you are doing to have to go and remove this permission each time. Kudos MS.

No comments: