Report section: Undo Group Object Permanent Deletion
Report section: Undo Group Object Permanent Deletion
Table 49: Undo Group Object Permanent Deletion
No changes to undo. |
Not applicable |
Scheduled deletion of the group is canceled. |
Failed to cancel scheduled deletion of the group. The group is going to be deleted on this date: date |
Container Deletion Prevention policy
A bulk deletion may occur in a situation where an administrator selects and deletes a container object, such as an Organizational Unit, that has subordinate objects. Although bulk deletions are rare, they are disruptive events you can guard against by leveraging a new policy—Container Deletion Prevention.
One of the most common bulk deletions is a container deletion, which occurs when Active Roles is used to delete a container object that holds other (subordinate) objects. By default, a container deletion has the following characteristics:
- First, Active Roles builds a list of all the objects found in the container (subordinate objects), and then starts deleting the listed objects one by one.
- Then, for every object in the list, Active Roles performs an access check to determine if the user or process that requested the deletion has sufficient rights to delete the object. If the access check allows the deletion, then the object is deleted; otherwise, Active Roles does not delete the object, and proceeds to deletion of a subsequent object in the list.
- Finally, once all the subordinate objects are deleted, Active Roles deletes the container itself. If any of the subordinate objects are not deleted, the container is not deleted as well.
As a result of this behavior, an administrator who has full control over an organizational unit in Active Roles can accidentally delete the entire organizational unit, with all its contents, within a single operation. To prevent this, Active Roles provides for a certain policy to deny deletion of non-empty containers.
The Container Deletion Prevention policy defines a configurable list of names of object types as specified by the Active Directory schema (for example, the Organizational Unit object type). When an Active Roles client requests the deletion of a particular container, the Administration Service evaluates the request in order to determine whether the type of the container is in the list defined by the policy. If the container type is in the list and the container holds any objects, the Administration Service denies the request, preventing the deletion of the container. In this case, the client prompts to delete all objects held in the container before attempting to delete the container itself.
To configure a Container Deletion Prevention policy
- In the console tree, select Configuration | Policies | Administration | Builtin.
- In the details pane, double-click Built-in Policy - Container Deletion Prevention.
- On the Policies tab, select the policy from the list and then click View/Edit.
- On the Types of Containers tab, click Add and use the Select Object Type dialog box to select the type (or types) of container you want to protect, and then click OK.
For example, you can select the Organizational Unit object type in order to prevent deletion of non-empty organizational units.
- Click OK to close the dialog boxes you opened.
The built-in Policy Object you have configured using the above instructions prevents deletion of non-empty containers in any managed domain.
You may not want Active Roles to prevent deletion of non-empty containers that are outside a certain scope (such as a certain domain, organizational unit, or Managed Unit), whereas deletion should be prohibited on the non-empty containers that fall within that particular scope. In this scenario, you need to create and configure a copy of the built-in Policy Object and apply that copy to the scope in question. Then, block the effect of the built-in Policy Object by selecting the Disable all policies included in this Policy Object check box on the Policies tab in the dialog box for managing properties of the Policy Object.
If you only need to allow deletion of non-empty containers within a certain scope, then you can simply block the effect of the built-in Policy Object on the object representing the scope in question. Thus, if you want to allow deletion of organizational units that fall within a certain Managed Unit, you can use the Enforce Policy command on that Managed Unit to display the dialog box for managing policy settings and then select the Blocked check box next to the name of the built-in Policy Object.
Protecting objects from accidental deletion
Another option to guard organizational units against accidental deletion is by using an Active Roles feature that allows you to deny deletion of particular objects. When creating an organizational unit by using Active Roles, you have the option to protect the newly created organizational unit from deletion. You can also use Active Roles to enable this protection on any existing organizational units or other objects in the managed Active Directory domains and Active Directory Lightweight Directory Services (AD LDS) partitions.
On the pages for creating an organizational unit in the Active Roles console or Web Interface, you can select the Protect container from accidental deletion check box. This option removes the Delete and Delete Subtree permissions on the organizational unit and the “Delete All Child Objects” permission on the parent container of the organizational unit. An organizational unit created with this option cannot be deleted, whether using Active Roles or other tools for Active Directory administration, as the deletion-related permissions are removed by applying the appropriate Access Templates in Active Roles and replicating the resulting permission entries to Active Directory.
The option to protect existing organizational units or other objects from deletion is available on the Object tab of the Properties page for an object in the Active Roles console or Web Interface. If you select the Protect object from accidental deletion check box on that tab, Active Roles configures the permission entries on the object in the same way as with the Protect container from accidental deletion option for an organizational unit. When somebody attempts to delete a protected object, the operation returns an error indicating that the object is protected or access is denied.
The option to protect an object from deletion adds the following Access Template links:
- On the object to protect, adds a link to the Objects - Deny Deletion Access Template for the Everyone group.
- On the parent container of the object, adds a link to the Objects - Deny Deletion of Child Objects Access Template for the Everyone group. (Active Roles does not add this link if it detects that a link of the same configuration already exists.)
The links are configured to apply the Access Template permission entries not only in Active Roles but also in Active Directory. This adds the following access control entries (ACEs) in Active Directory:
- On the object to protect, adds explicit Deny ACEs for the Delete and Delete Subtree permissions for the Everyone group.
- On the parent container of the object, adds an explicit Deny ACE for the “Delete All Child Objects” permission for the “Everyone” group. (Active Roles does not add this ACE if it detects that an ACE of the same configuration already exists.)
If you clear the Protect object from accidental deletion check box for a given object, Active Roles the updates the object to remove the link to the “Objects - Deny Deletion” Access Template in Active Roles along with the explicit Deny ACEs for the “Delete” and “Delete Subtree” permissions for the “Everyone” group in Active Directory. As a result, the object is no longer guarded against deletion. Note that clearing the check box for a particular object removes the Access Template links and ACEs from only that object, leaving the Access Template links and ACEs on the parent container intact. This is because the parent container may hold other objects that are protected from deletion. If the container does not hold any protected objects, you could remove the link to the “Objects - Deny Deletion of Child Objects” Access Template by using the Delegate Control command on that container in the Active Roles console, which will also delete the corresponding ACE in Active Directory.
It is possible to configure Active Roles so that the Protect container from accidental deletion check box will be selected by default on the pages for creating organizational units in the Active Roles console or Web Interface. To enable this behavior within a domain or container, apply the “Built-in Policy - Set Option to Protect OU from Deletion” Policy Object to that domain or container. This Policy Object ensures that organizational units created by Active Roles are protected from deletion regardless of the method used to create them. Thus, organizational units created using Active Roles script interfaces will also be protected by default.
Picture management rules
You can use the Active Roles console or Web Interface to add a picture for a user, group, or contact object. An advantage of using pictures, such as the photographs or logos, is that a picture makes it easier to recognize the user, group, or contact in e-mail clients and web applications that can retrieve the picture from Active Directory. When you supply a picture for a user, group or contact via Active Roles, the picture is saved in the thumbnailPhoto
attribute of that user, contact, or group in Active Directory.
Active Roles provides a policy to enforce the picture size limits, including maximum and minimum dimensions and the option to resize the picture automatically. When you add a picture to the user, group, or contact, Active Roles checks the dimensions of the picture, and does not apply the picture in case of policy violation. If automatic picture resizing is enabled, Active Roles reduces the dimensions of the picture as needed by resampling down the original picture.
You can use the following policy options to configure the picture management rules:
- Controlled property and object type. Specifies the object class and the attribute intended to store the picture. The policy fires upon a request to save a picture in the specified attribute of an object of the specified object class. By default, the policy controls the
thumbnailPhoto
attribute of the user, contact, or group object class. You can choose a different attribute for each object class separately. For instance, you can configure the policy to control the thumbnailLogo
or jpegPhoto
user attribute while retaining control of the thumbnailPhoto
attribute of groups and contacts.
- Maximum allowed size, in pixels. Specifies the maximum allowed dimensions of the picture. If the width or height of a given picture is greater than specified by this option, then the policy prevents the picture from being applied. The policy has the option to resample pictures of large size. You can configure the policy so that Active Roles automatically reduces the size of the original picture to meet the policy requirements and then applies the resulting picture.
- Minimum allowed size, in pixels. Specifies the minimum allowed dimensions of the picture. If the width or height of a given picture is less than specified by this option, then the policy prevents the picture from being applied.
- Enable automatic picture resizing. Causes Active Roles to resample the pictures whose dimensions exceed the maximum allowed size. If you select this option, Active Roles reduces the dimensions of the picture as appropriate and then applies the resulting picture; otherwise, Active Roles merely rejects the pictures that are too big.
To view or modify the policy options
- Open the Active Roles console.
- In the console tree, select Configuration | Policies | Administration | Builtin.
- In the details pane, double-click Built-in Policy - Picture Management Rules.
- On the Policies tab in the Properties dialog box that appears, click the policy in the list, and then click View/Edit.
- In the Properties dialog box that appears, do the following:
- On the Controlled Property tab, view or change the object class and attribute to which the policy applies.
- On the Picture Sizing tab, view or change the policy settings that restrict the size of the picture stored by the controlled property.
By default, the built-on Policy Object is applied to the Active Directory node in the Active Roles namespace, so the policy options affect all users, groups and contacts in the managed domains. If you need different policy options for different domains or containers, create a copy of the built-in Policy Object, and then configure and apply the copy as appropriate.