Group Policy Central

This is a simple tip that I want to share about the right way to Organisation Units  to ensure that you always have them protected from accidental deletion.

Ever since Windows Server 2008/Vista there has been an option in ADUC called “Protect container from accidental deletion” (see image below).

The affect of ticking this check box was that the “Everyone” group would be granted deny delete permission (see below) on the object so that it would be very hard for you to accidently delete an OU (and all of its contents) even if you are a Domain Admin. NICE!!!

This is a very handy option to have enabled on all you OU’s (groups and users) as we all know that it quite easy to accidently delete something when you are working late or just under the pump with a million things on your plate.

However…

You may also be aware that the Group Policy Management Console also has as option to create new new Organisation Unit (see below).

The problem with using GPMC is that the tool does not implement “Protect container from accidental deletion” deny security permission on the OU as the ADUC tool does (see below).

So in summary, even though it might be really convenient to create OU’s in GPMC I recommend that you do NOT do this as you might end up regretting you ever did when you accidently pressed delete one to many times…

I have been doing Active Directory and Group Policy work for a while now and I have developed my own set of rules that I try to use where ever possible. So below I have written down all my rules in no particular order for you to go over and use for yourself. You may only chose to use only some of these rules or you might want to use them all depending on your circumstance. This is a two part series where I will first talk about designing you Active Directory Organisation Unit structure and then in part 2 (Best Practice: Group Policy Design Guidelines – Part 2) I will discuss some more ideas for applying Group Policy to the OU structure.

I want to be clear that these are only guidelines and not rules that need to be strictly adhered to. In almost all case there are exceptions to these guidelines and you might even find your self implementing them in a hybrid approach. I intend for this web page to be updated on a regular basis as none of these rules are set in stone and thing obviously change all the time.

Continue reading ‘Best Practice: Active Directory Structure Guidelines – Part 1’ »