Delegate permission to set 'Protection Against Accidental Deletion' (Network Steve Forum)

Delegate permission to set 'Protection Against Accidental Deletion'

Hi guys,

recently I'm trying to delegate permissions for the Active Directory administration in our company. It all works great so far except for one thing.

I'm able to delegate the right to remove 'Protection Against Accidental Deletion' if its set, but somehow I can't find a way to delegate the right to initially set it. I already tried to grant Full Control for Computer Objects to the Group I want to delegate the rights to, but that didn't help.

I need this especially for Computer Objects but a general answer would be great either.

Hope someone can help me with this.

Thanks in advance.

Greetings

Edited by Hannes.K 20 hours 27 minutes ago

September 2nd, 2015 9:05am

Hi,

For accidental deletion follow the steps mentioned in link:

https://technet.microsoft.com/en-us/library/cc739350%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

Free Windows Admin Tool Kit Click here and download it now

September 2nd, 2015 9:27am

You can refer: https://social.technet.microsoft.com/Forums/windowsserver/en-US/71614870-ca0f-441f-a31f-1f7218c139a9/how-to-enable-protect-object-from-accidental-deletion-for-entire-organization?forum=winserverDS

Using script : https://social.technet.microsoft.com/Forums/windowsserver/en-US/1e20fcab-a09e-45b5-8860-cb2523432191/powershell-to-enable-protect-from-accidental-deletion-on-all-ous?forum=winserverpowershell

September 2nd, 2015 9:30am

You mean the "Prevent object from accidental deletion" options?

As far as I know, seems there is no way to delegate this directly. Also please note that it is not a good practice to delegate groups of user to perform above mentioned AD activity.

Regards,

Eth

Free Windows Admin Tool Kit Click here and download it now

September 3rd, 2015 6:07am

You mean the "Prevent object from accidental deletion" options?

Yes exactly... I wasn't able to post a Screenshot since I was still awaiting Account verification.

With some testing I found a way to delegate the permission.

I had to grant "Change Permissions" on all Child Objects on the OU where I needed the Delegation for. That did the trick for me.

Also I needed to delegate that right so my coworkers can move Computer Objects to the proper OUs and then set the option with their administrative Users.

Regards,

Hannes

Edited by Hannes.K 20 hours 28 minutes ago

September 3rd, 2015 6:36am

I had to grant "Change Permissions" on all Child Objects on the OU where I needed the Delegation for. That did the trick for me.

Thanks for the update. Good to see you've figured it out.

Could you please share the steps on how exactly you did this? I would like to give it a try by myself in my lab.

Thank you in advance!

Regards,

Eth

Free Windows Admin Tool Kit Click here and download it now

September 3rd, 2015 11:09pm

This topic is archived. No further replies will be accepted.