Protect/unprotect objects from deletion

It is possible to protect any AD object from accidental deletion. If an object is protected, neither administrators, nor other users can delete the object using Adaxes or any other tools, including Active Directory Users and Computers and Active Directory Administrative Center.

To protect an object from deletion, Adaxes updates the security descriptor of the object (and, if necessary, the security descriptor of its parent) to deny all users the right to delete the object.

Note

The Protect from accidental deletion setting does not provide protection against deletion of a subtree that contains the protected object. Therefore, it is recommended to enable the setting for all the parent containers/OUs of the protected object, up to the domain level.

Find objects not protected from deletion

  1. Launch Adaxes Administration console.

  2. In the Console Tree, expand the Adaxes service node (the icon represents service nodes).

  3. Navigate to Reports / All Reports.

  4. Select one of the following reports:

    • Users / Users not protected from deletion
    • Computers / Computers not protected from deletion
    • Groups / Groups not protected from deletion
    • Groups / Security groups not protected from deletion
    • Organizational Units / OUs not protected from deletion
  5. Generate the report.

Protect/unprotect a single object from deletion

  1. Launch Adaxes Administration console.
  2. In the Console Tree, expand the Adaxes service node (the icon represents service nodes).
  3. Expand Active Directory / <domain>.
  4. Right-click the object you need and then click Properties in the context menu.
  5. In the dialog box that opens, click Advanced.
  6. Enable or disable the Protect from accidental deletion option.
  7. Click OK.

Protect/unprotect multiple objects from deletion

  1. Launch Adaxes Administration console.
  2. In the Console Tree, expand the Adaxes service node (the icon represents service nodes).
  3. Expand Active Directory / <domain>.
  4. Select the objects you need, right-click and then click Add/Modify Property in the context menu.
  5. In the wizard that opens, select the Protect from accidental deletion property.
  6. Click Next.
  7. In the Property value drop-down list, select TRUE to protect or FALSE to unprotect the objects.
  8. Click Finish.

Automatically protect/unprotect objects from deletion

To automatically protect/unprotect objects from deletion, you can use the following approaches:

  • Create a property pattern that will set the Protect from accidental deletion property to TRUE upon object creation.
  • Create a business rule that will set the Protect from accidental deletion property to TRUE after creating AD objects (e.g. After creating a user).
  • Create a scheduled task that will enable or disable the Protect from accidental deletion option for existing AD objects based on specific conditions and schedule.

Note

To protect/unprotect an object from deletion using a script, set the adm-ProtectedFromDeletion property of the object to TRUE or FALSE in the script.

 Example

The below script protects an object from deletion. In the script:

  • $serviceHost - the host name of the computer where Adaxes service is installed.
  • $objectDN - the distinguished name (DN) of the object to enable protection for. For information on how to get the DN, see Get the DN of a directory object.
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost"
$objectDN = "CN=John Smith,CN=Users,DC=company,DC=com"

# Connect to the Adaxes service.
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly($serviceHost)

# Bind to the object.
$object = $admService.OpenObject("Adaxes://$objectDN", $NULL, $NULL, 0)

# Protect the object from deletion.
$object.Put("adm-ProtectedFromDeletion", $True)
$object.SetInfo()