A bulk deletion may occur in a situation where an administrator selects and deletes a container object, such as an Organizational Unit, that has subordinate objects. Although bulk deletions are rare, they are disruptive events you can guard against by leveraging a new policy: Container Deletion Prevention.
One of the most common bulk deletions is a container deletion, which occurs when Active Roles is used to delete a container object that holds other (subordinate) objects. By default, a container deletion has the following characteristics:
-
First, Active Roles builds a list of all the objects found in the container (subordinate objects), and then starts deleting the listed objects one by one.
-
Then, for every object in the list, Active Roles performs an access check to determine if the user or process that requested the deletion has sufficient rights to delete the object. If the access check allows the deletion, then the object is deleted; otherwise, Active Roles does not delete the object, and proceeds to deletion of a subsequent object in the list.
-
Finally, once all the subordinate objects are deleted, Active Roles deletes the container itself. If any of the subordinate objects are not deleted, the container is not deleted as well.
As a result of this behavior, an administrator who has full control over an Organizational Unit in Active Roles can accidentally delete the entire Organizational Unit, with all its contents, within a single operation. To prevent this, Active Roles provides for a certain policy to deny deletion of non-empty containers.
The Container Deletion Prevention policy defines a configurable list of names of object types as specified by the Active Directory schema (for example, the Organizational Unit object type). When an Active Roles client requests the deletion of a particular container, the Administration Service evaluates the request in order to determine whether the type of the container is in the list defined by the policy. If the container type is in the list and the container holds any objects, the Administration Service denies the request, preventing the deletion of the container. In this case, the client prompts to delete all objects held in the container before attempting to delete the container itself.
To configure a Container Deletion Prevention policy
-
In the Console tree, select Configuration > Policies > Administration > Builtin.
-
In the details pane, double-click Built-in Policy - Container Deletion Prevention.
-
On the Policies tab, select the policy from the list and then click View/Edit.
-
On the Types of Containers tab, click Add and use the Select Object Type dialog to select the type (or types) of container you want to protect, and then click OK.
For example, you can select the Organizational Unit object type to prevent deletion of non-empty Organizational Units.
-
Click OK to close the dialogs you opened.
The built-in Policy Object you have configured using the above instructions prevents deletion of non-empty containers in any managed domain.
You may not want Active Roles to prevent deletion of non-empty containers that are outside a certain scope (such as a certain domain, Organizational Unit, or Managed Unit), whereas deletion should be prohibited on the non-empty containers that fall within that particular scope. In this scenario, you need to create and configure a copy of the built-in Policy Object and apply that copy to the scope in question. Then, block the effect of the built-in Policy Object by selecting the Disable all policies included in this Policy Object check box on the Policies tab in the dialog for managing properties of the Policy Object.
If you only need to allow deletion of non-empty containers within a certain scope, then you can simply block the effect of the built-in Policy Object on the object representing the scope in question. Thus, if you want to allow deletion of Organizational Units that fall within a certain Managed Unit, you can use the Enforce Policy command on that Managed Unit to display the dialog for managing policy settings and then select the Blocked check box next to the name of the built-in Policy Object.
Another option to guard Organizational Units against accidental deletion is by using an Active Roles feature that allows you to deny deletion of particular objects. When creating an Organizational Unit by using Active Roles, you have the option to protect the newly created Organizational Unit from deletion. You can also use Active Roles to enable this protection on any existing Organizational Units or other objects in the managed Active Directory domains and Active Directory Lightweight Directory Services (AD LDS) partitions.
On the pages for creating an Organizational Unit in the Active Roles Console or Web Interface, you can select the Protect container from accidental deletion check box. This option removes the Delete and Delete Subtree permissions on the Organizational Unit and the Delete All Child Objects permission on the parent container of the Organizational Unit. An Organizational Unit created with this option cannot be deleted, whether using Active Roles or other tools for Active Directory administration, as the deletion-related permissions are removed by applying the appropriate Access Templates in Active Roles and replicating the resulting permission entries to Active Directory.
The option to protect existing Organizational Units or other objects from deletion is available on the Object tab of the Properties page for an object in the Active Roles Console or Web Interface. If you select the Protect object from accidental deletion check box on that tab, Active Roles configures the permission entries on the object in the same way as with the Protect container from accidental deletion option for an Organizational Unit. When somebody attempts to delete a protected object, the operation returns an error indicating that the object is protected or access is denied.
The option to protect an object from deletion adds the following Access Template links:
-
On the object to protect, adds a link to the Objects - Deny Deletion Access Template for the Everyone group.
-
On the parent container of the object, adds a link to the Objects - Deny Deletion of Child Objects Access Template for the Everyone group. (Active Roles does not add this link if it detects that a link of the same configuration already exists.)
The links are configured to apply the Access Template permission entries not only in Active Roles but also in Active Directory. This adds the following access control entries (ACEs) in Active Directory:
-
On the object to protect, adds explicit Deny ACEs for the Delete and Delete Subtree permissions for the Everyone group.
-
On the parent container of the object, adds an explicit Deny ACE for the Delete All Child Objects permission for the Everyone group. (Active Roles does not add this ACE if it detects that an ACE of the same configuration already exists.)
If you clear the Protect object from accidental deletion check box for a given object, Active Roles the updates the object to remove the link to the Objects - Deny Deletion Access Template in Active Roles along with the explicit Deny ACEs for the Delete and Delete Subtree permissions for the Everyone group in Active Directory. As a result, the object is no longer guarded against deletion. Note that clearing the check box for a particular object removes the Access Template links and ACEs from only that object, leaving the Access Template links and ACEs on the parent container intact. This is because the parent container may hold other objects that are protected from deletion. If the container does not hold any protected objects, you could remove the link to the Objects - Deny Deletion of Child Objects Access Template by using the Delegate Control command on that container in the Active Roles Console, which will also delete the corresponding ACE in Active Directory.
It is possible to configure Active Roles so that the Protect container from accidental deletion check box will be selected by default on the pages for creating Organizational Units in the Active Roles Console or Web Interface. To enable this behavior within a domain or container, apply the Built-in Policy - Set Option to Protect OU from Deletion Policy Object to that domain or container. This Policy Object ensures that Organizational Units created by Active Roles are protected from deletion regardless of the method used to create them. Thus, Organizational Units created using Active Roles script interfaces will also be protected by default.