Protect Organizational Units Against Accidental Deletion

As humans, we all make mistakes. Some are more critical than others, that’s certain. One of the more catastrophic mistakes that an Active Directory administrator can make is to accidentally delete an Organizational Unit (OU). Fortunately, this mistake is avoidable. You can protect yourself and your organization against accidental OU deletion. In this article, I’ll show you how. First, let me show you why this mistake is so serious.

Why Protect an Organizational Unit Against Deletion?

In Active Directory, an OU is essentially a type of container. It’s a logical structure that usually includes other objects. These objects can include user accounts, groups, computer accounts, printers, and more. An organizational unit can even contain other OUs.

As you’ve probably guessed, deleting an organizational unit also deletes the objects within it. I’m sure you can imagine the problems that it would cause if an admin accidentally deleted an OU containing thousands of user accounts.

Does this mistake have a solution? Can you somehow recover the deleted Organizational Unit?

Can You Recover a Deleted OU

Right now, you may be wondering if you can even recover an accidentally deleted OU. 

Your options vary depending on whether or not you’ve enabled the Active Directory Recycle Bin. If you did, then you can usually recover an OU. If not, then the deleted OU becomes a tombstone object. Even though you can recover a tombstone object, a tombstone loses most of its attributes. As a result, you may only gain very little benefit in restoring this object. Instead, it may be better to just recreate it. 

Let me show you how you can enable the AD recycle bin.

Enable the Active Directory Recycle Bin

The Active Directory Recycle Bin can only protect you if you enable it BEFORE an accidental deletion. If you want to enable the AD Recycle Bin, simply follow these 3 steps:

1. Open the Active Directory Administrative Center
2. Right-click on your domain name and select the Enable Recycle Bin command from the shortcut menu
3. Click OK to confirm that you want to enable the Active Directory Recycle Bin

When that’s done, you should be able to restore most deleted OUs. Let me show you how.

Recovering a Deleted Organizational Unit

Comprehensive OU recovery may be out of scope in this article. However, I still want to give you a high–level overview of the process.

Let’s get some things out of the way first.

When you request an OU deletion, Windows will give you a dire warning that the OU and the objects that it includes will all be deleted. Most importantly, this message tells you that if you panic and attempt to cancel a deletion midstream, you won’t be able to restore any objects that have already been deleted. Assuming that the Active Directory Recycle Bin is enabled, it’s best to just let an unwanted deletion finish. Don’t interrupt it.

For our purposes, I deleted the Example OU that I showed you earlier. As you can see in the figure below, the Example OU is listed in the Active Directory Recycle Bin. You’ll also see all the objects that were in the deleted OU.

To restore a deleted object, simply select it and click Restore. That said, this won’t restore the objects within the organizational unit. Instead, restore the OU, then restore the objects it previously had.

After recovering the OU itself, you can recover the individual objects from the Active Directory Recycle Bin. Simply select them and click Restore.

As you can see in the figure above, the deleted items have indeed been recovered. 

Pro Tips

When recovering an Organizational Unit, you must remember these 2 very important things:

• Restore the OU before attempting to restore individual objects. Otherwise the recovery won’t be successful.
• Refresh the console after the recovery. Otherwise, the Active Directory Users and Computers console will not acknowledge the recovery.

If the circumstances are right, it’s possible to recover a deleted organizational unit. Even so, it’s much better to prevent accidental deletion altogether. Let’s see how you can do that.

Preventing Accidental OU Deletion

When you create an OU the Active Directory Users and Computers console automatically protects the Organizational Unit from deletion.  (That is, assuming you’re using the latest Windows version). As you can see below, the creation window has a checkbox ticked by default. It protects your OU against accidental deletion.

Now, what can you do for the OUs that you already had?

Protecting Existing OUs

You likely have some OUs that haven’t been automatically protected upon creation. You can use PowerShell to check for unprotected OUs. To do that, simply use the following command:

Now that you know which OUs are unprotected, you can also use PowerShell to enable protection. Simply use the following commands:

Final Thoughts

An Organizational Unit can contain important information and user accounts in your company. That’s why, it may be a huge issue if you accidentally deleted one. Thankfully, you can restore your deleted OUs. Just ensure you’ve enabled Active Directory Recycle Bin beforehand. 

However, it’s much better to prevent accidental deletion altogether. The latest Windows versions enable this by default. Still, you can also use PowerShell to determine if an Organizational Unit isn’t safe and enable protection. 

Do you have questions about Organizational Units? Check out the FAQs and Resources below!

FAQ

Why do OUs need to be protected against accidental deletion if they can be restored?

Under the right circumstances, it’s possible to recover a deleted OU. Even so, it’s far better to prevent an OU from being deleted in the first place. Protecting an OU from deletion helps to avoid disruption. It also prevents the uncertainties involved in the recovery process.

Does using PowerShell to prevent the accidental deletion of OUs have any advantage over using the GUI?

You can enable Organizational Unit protection using either PowerShell or the GUI. Both tools work equally well. The only advantage to using PowerShell is that it reduces the amount of work required when working in complex environments. When you have a  large number of OUs, you don’t need to check each individually.

Since Windows Server protects OUs by default, is there any real benefit to checking to see if OU protection is enabled?

Some older versions of Windows didn’t automatically enable OU protection. This is especially true for OUs created using group policy tools. Hence, any older OUs in your environment are likely unsafe. When you know which ones aren’t safe, you can then enable protection. 

Is it possible to delete a protected OU?

If, at some point, you decide that you need to delete a protected OU, you can easily do so. Just deselect the Protect Object From Accidental Deletion checkbox. Then, delete the OU as you would any other Active Directory object. The default protection simply ensures no one in your organization deletes something they shouldn’t.

How does OU protection help if there is still a way of deleting an OU?

Before you can delete an OU, you must disable the OU protection. As a result, even though you can still delete an OU, it still takes an extra step. Hence, you have to make a conscious effort to delete an Organizational Unit. No one can simply click delete and erase an entire OU.

Resources

TechGenix: Article on Organizational Unit Permissions

Learn how to check permissions on an Organizational Unit.

TechGenix: Article on AD Organizational Unit Design

Read more on Active Directory Organizational Unit Design.

TechGenix: Article on OU vs AD Groups

Find out how Organizational Units differ from Active Directory groups.

GroupPolicy: Article on Group Policy Protection

Discover why group policy may not adequately protect your OUs.

ManageEngine: Article on AD Object Recovery

Read more on how to recover deleted Active Directory objects.

ITExperience: Article on Accidental OU Deletion Protection

Read more on how to prevent OUs from being accidentally deleted.