This is a simple tip that I want to share about the right way to Organisation Units to ensure that you always have them protected from accidental deletion.
Ever since Windows Server 2008/Vista there has been an option in ADUC called â€œProtect container from accidental deletionâ€ (see image below).
The affect of ticking this check box was that the â€œEveryoneâ€ group would be granted deny delete permission (see below) on the object so that it would be very hard for you to accidently delete an OU (and all of its contents) even if you are a Domain Admin. NICE!!!
This is a very handy option to have enabled on all you OUâ€™s (groups and users) as we all know that it quite easy to accidently delete something when you are working late or just under the pump with a million things on your plate.
You may also be aware that the Group Policy Management Console also has as option to create new new Organisation Unit (see below).
The problem with using GPMC is that the tool does not implement â€œProtect container from accidental deletionâ€ deny security permission on the OU as the ADUC tool does (see below).
So in summary, even though it might be really convenient to create OUâ€™s in GPMC I recommend that you do NOT do this as you might end up regretting you ever did when you accidently pressed delete one to many timesâ€¦