Windows Server has a feature called PROTECT CONTAINER FROM ACCIDENTAL DELETION that blocks even Domain and Enterprise Administrators from deleting Organizational Units, Computers, Printers and other AD objects.
Speaking from personal experience in early 2000’s, I can tell you that this is a really nice feature because you can really screw up your Active Directory by deleting an entire OU by accident.
You can configure Accidental Deletion restrictions, when you create a new Organizational Unit simply by clicking the PROTECT CONTAINER FROM ACCIDENTAL DELETION.
You Do Not Have Sufficient Privileges To Delete
The problem is after an AD object is created, it is not so obvious how to remove Accidental Deletion restrictions. Even if you are a Domain or Enterprise admin, you will see “You do not have sufficient privileges to delete or this object is protected from accidental deletion”.
How To Remove Accidental Deletion Restrictions
You simply need to enable ADVANCED OPTIONS in Active Directory Users and Computers:
- In Active Directory Users and Computers, click the VIEW menu
- Select ADVANCED OPTIONS
- Double click on the object you want to delete
- Click the OBJECT tab
- Uncheck PROTECT OBJECT FROM ACCIDENTAL DELETION
1 Comment
SOLVED: How to Find the Fully Qualified / Distinguished Name of an OU in Active Directory – Up & Running Technologies, Tech How To's · January 16, 2024 at 10:09 am
[…] many times, especially when using scripts, that you may need to know the fully qualified path to an Active Directory Organizational Unit. The problem really comes in when an OU is buried under other OU’s, some of which may have […]