Ever have that Oh Sh!t – Stomach Churning – Career Ending moment where you accidently deleted something you shouldn’t?
Why is Delete right beside Rename!
Because even Admins make mistakes, it is a best practice to protect every critical object in AD from accidental deleting something. How you ask?
You could do it one of two ways. First the slow (manual) way. Simply select the properties of any critical AD object (Computer, Group, Organizational Unit, User, etc). Then select the Object tab and check the “Protect object from accidental deletion” box.
If you are anything like me, you did this for a handful of objects and thought “this is dumb… how can I automated this?” Pretty easily it turns out. Which brings us to method number 2 – the PowerShell way.
Get-QADObject -searchroot 'DC=Test,DC=local' -type 'group' -SizeLimit 0| Add-QADPermission -Deny -Account ‘EVERYONE’ -Right ‘Delete,DeleteTree’ -ApplyTo ThisObjectOnly
As a note, this script makes use of the Quest AD cmdlets for PowerShell. It will recursively go through your -SearchRoot parameter (in this case, the entire domain) and prevent users from deleting the object.