How to Delete Protected OU in Active Directory?

When you create Organizational Units (OUs) in Active Directory, they have the “Protect container from accidental deletion” option enabled by default.

Delete Protected OU

If you try to delete such an OU with the Active Directory Users and Computers console, an error will appear:

Active Directory Domain Services

You do not have sufficient privileges to delete OU_NAME, or this object is protected from accidental deletion.

active directory protect object from accidental deletion

ADVERTISEMENT

If you try to delete protected OU using PowerShell, you will get an “Access is denied” error:

Get-ADOrganizationalUnit -identity "OU=California,OU=US,DC=contoso,DC=com" | Remove-ADOrganizationalUnit

Remove-ADOrganizationalUnit : Access is denied

+ CategoryInfo : PermissionDenied: UnauthorizedAccessException

active directory cannot delete organizational unit

The object deletion protection feature was introduced in the version of Active Directory in Windows Server 2008 (AD Schema objectVersion– 44). This feature is designed to protect Organizational Units and other important Active Directory objects from being accidentally deleted or moved.

When trying to move a protected object, an error will appear:

Active Directory Domain Services

Windows cannot move object OU_NAME because:Access is denied.

active directory object is protected from accidental deletion

Note. The default Active Directory containers (Builtin, Computers, Domain Controllers, Users, System, ForeignSecurityPrincipals, NTDS Quotas) are not protected by default.

You can disable OU deletion protection through the ADUC console:

  1. Run the dsa.msc snap-in;
  2. Enable View > Advanced Features in the top menu;
  3. Find the OU in the Active Directory tree and open its properties;
  4. Go to the Object tab and uncheck the option Protect object from accidental deletion; this object is protected from accidental deletion active directory
  5. Now you can delete or move this OU.

You can also change the value of the ProtectedFromAccidentalDeletion attribute of an OU using PowerShell. We’ll use the Get-ADOrganizationalUnit and Set-ADObject cmdlets from the Active Directory for Windows PowerShell module to change OU properties. Here is a PowerShell one-liner that will remove protection for the OU and immediately delete the object from the AD:

Get-ADOrganizationalUnit -Identity "OU=California,OU=US,DC=contoso,DC=com" | Set-ADObject -ProtectedFromAccidentalDeletion:$false -PassThru | Remove-ADOrganizationalUnit

To display a list of OUs in Active Directory with the ProtectedFromAccidentalDeletion option disabled, run the command:

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} |select DistinguishedName

delete protected object in active directory

When you enable the Protect object from deletion attribute in the object properties, it changes the ACL of the Active Directory object.

  1. Open the properties of such an object in AD, go to the Security tab > click Advanced;
  2. Select the ACL entry for the Everyone principal from the list and click Edit;
  3. As you can see, deny permissions are enabled for the Delete and Delete subtree operations for the Everyone group.
    ad delete protected ou

You can protect from accidental deletion not only OUs, but also other types of objects in Active Directory: users, computer accounts, and groups.

ADVERTISEMENT

You can enable the Protect object from accidental deletion option with the ADUC console or using PowerShell:

Get-ADObject -Identity 'CN=M-DC02,OU=Domain Controllers,DC=contoso,DC=com' |Set-ADObject -ProtectedFromAccidentalDeletion:$true

delete protected ou in active directory

Now you won’t be able to delete or move this computer object to another OU.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.