Protect/unprotect Objects From Deletion - Adaxes Help

Home » Active Directory Protect Against Accidental Deletion » Protect/unprotect Objects From Deletion - Adaxes Help

Maybe your like

Adaxes Logo Help
  • close
  • Technical overview
  • Installation
    • Adaxes installation guide
    • Post-installation steps
    • Self-service client installation guide
  • Tutorials
    • Automation
      • Automate user provisioning
      • Automatically move users between Organizational Units
      • Automate group membership management
      • Automatically change group membership using scripts
      • Run PowerShell script after creating a user
      • Automate Exchange mailbox configuration
      • Automatically assign Microsoft 365 licenses
      • Automatically set profile path for Remote Desktop Services
      • Send initial password to users
      • Send email on adding members to groups
      • Send password expiration notifications to users
      • Schedule tasks for directory management
      • Delete inactive computers
      • Automatically deprovision inactive users
    • Directory management
      • Create custom command
      • Create business unit
      • Create dynamic business unit
      • Configure user deprovisioning
      • Schedule import of users from CSV
      • Create multiple objects in one operation
      • Create report
      • Schedule reports
      • Reset passwords for multiple users
      • Modify remote desktop services settings in bulk
      • Rename multiple users in bulk
      • Update multiple objects using PowerShell
      • View operation logs
      • Manage Fine-Grained Password Policies
      • Manage and automate Microsoft 365
      • Restore deleted objects
    • Delegating permissions
      • Hide directory objects from users
      • Grant rights to create users
      • Allow managers to manage direct reports
      • Grant rights to reset multifactor authentication
      • Grant rights to modify group membership
      • Grant rights to reset passwords and unlock accounts
      • Grant rights to modify account options
      • Grant rights to create and modify business units
      • Deny rights to delete users
      • Grant rights to execute custom commands
      • Grant rights to modify specific properties of directory objects
      • Grant rights to move objects
      • Grant rights to perform Exchange tasks
      • Grant rights to perform Microsoft 365 management tasks
      • Grant rights to view reports
      • Request approval for user creation
      • Request approval for adding members to groups
    • Self-service
      • Configure password self-service
      • Autoenroll users for self-password reset
      • Allow users to modify specific properties of their accounts
      • Request approval for self-password reset
    • Simplifying data entry
      • Make an input field a drop-down list
      • Make a property required and specify its format
      • Configure allowed domain names for usernames
      • Validate/modify user input using a script
      • Automatically set address based on user's office
      • Generate initial password on user creation
      • Set default account expiration date for new users
      • Set default account options for new users
      • Auto-populate company name when creating users
      • Change template for auto-generating user full name
      • Ensure phone numbers have country code
      • Predefine selection of exchange mailbox databases
      • Provide custom help and tips for directory object properties
      • Attach files to directory objects
    • Web interface customization
      • Set custom logo and colors
      • Customize the Home page
      • Configure the Actions pane
      • Customize forms for user creation and editing
      • Configure sign-in settings
      • Enable SAML-based single sign-on
      • Control what objects are displayed in web interface
      • Configure and organize operations
      • Limit access to the directory structure
      • Control user access to web interface
      • Disable a web interface on specific web servers
      • Customize directory search
      • Configure Exchange tasks
      • Configure password reset
      • Specify custom message for password change
      • Configure reports in web interface
      • Disable web interface components
      • Manage directory objects of a custom type
      • Configure column settings
      • Use templates for user creation
      • Customize help and support links
      • Prevent brute force attacks
  • How do I
    • Service settings
      • Configure mail settings
      • Configure SMS settings
      • Add/remove service administrators
      • Change account used to log on into service
      • Specify Web inteface to use in object links
      • Configure general document settings
    • Managed domains
      • Register/unregister a domain
      • Change service account for a managed AD domain
      • Configure Adaxes to use specific domain controllers
      • Encrypt traffic between Adaxes and Active Directory
      • Configure cache maintenance for Microsoft Entra domains
    • Licensing
      • Activate license key
      • View license information
      • Check number of users for licensing
      • Add users to the unmanaged account list
      • Check Adaxes service version
      • Check for updates
    • Web interface
      • Enable auto logon
        • Enable auto logon for web interface
        • Enable auto logon for web interface configurator
        • Enable Kerberos/NTLM authentication in web browsers
        • Enable trust for delegation for web servers
      • Change UI texts in web interface
      • Specify icons for object types
      • Hide specific object types
      • Specify property for object display names
      • Configure execution log display settings
      • Disable auto-populating usernames
      • Change session idle lifetime
      • Display My Account page after sign in
      • Allow iframe embedding
      • Limit hosts allowed in ReturnURL for password self-service
      • Reset personal web interface settings
    • Approval requests
      • Customize email notifications for approval requests
      • Enable approve/deny buttons in email notifications
      • Change retention period for approval requests
      • View all pending approval requests
    • Password self-service
      • Configure OS integration
      • View password self-service statistics
      • View all users affected by a password self-service policy
      • View password self-service policy effective for a user
      • Enforce enrollment for password self-service
      • Customize predefined security questions
    • Logging
      • Manage database settings
        • Enable logging to an external MS SQL database
        • Enable MS SQL database replication
        • Send email if MS SQL database connection fails
      • View operations performed over an object
      • View operations performed by a user or scheduled task
      • View service event log
      • Configure Syslog output
      • Change retention period for log records
      • Change timeout for loading log records
    • Microsoft 365
      • View Microsoft 365 tenant for an object
      • Change service account for a Microsoft 365 tenant
    • Delegating permissions
      • Grant permissions to enroll/disenroll users from password self-service
      • Grant permissions to unblock users for password self-service
      • Grant permissions to view password self-service statistics
      • Grant permissions to view the general service log
      • Grant permissions to edit service log settings
      • Grant permissions to view the action/modification log
      • Grant permissions to view activity history of scheduled tasks
      • Grant permissions to configure web interface
      • View security roles assigned to a user or group
    • Reports
      • Enable report generation upon selection
      • View report as another user
      • View list of icons and icon indexes
    • Diagnostics
      • Enable Exchange request logging
      • Enable Microsoft 365 request logging
      • Enable Microsoft Entra ID request logging
      • Enable SMTP request logging
      • Enable web interface request logging
    • Advanced settings
      • Configure enabling and disabling remote mailboxes
      • Change configuration parameters
      • Change password generation parameters
      • Configure password spell out
      • Configure allowed Exchange forests and servers
      • Change timeout for script execution
      • Show server names in error messages
      • Change business rule execution order
      • Import/export objects via command line
      • Reset secure storage
      • Specify source anchors for a Microsoft Entra domain
      • Disable automatic Microsoft Entra object creation
    • Back up/restore configuration
    • Register Adaxes as an app in Microsoft Entra ID
    • Customize display names of AD properties
    • View Adaxes services within multi-server environment
    • Bind scheduled task to Adaxes service
    • Protect/unprotect objects from deletion
  • Concepts
    • Permissions required by Adaxes
    • Value references
    • Calculated properties
    • Object owners
    • Scheduled task owner takeover
Protect/unprotect objects from deletion

Adaxes allows you to protect objects from accidental deletion. Protected objects cannot be deleted by any user, even if they have sufficient permissions. There is a difference between how protection from accidental deletion works for Active Directory objects and Microsoft Entra objects.

  • Active Directory

  • Microsoft Entra ID

  • Protected objects cannot be deleted using Adaxes or any other tools, including Active Directory Users and Computers and Active Directory Administrative Center.

  • Protected objects cannot be deleted only from within Adaxes. You can still delete them via Microsoft Entra portal or any other tools.

  • Protection from deletion is not provided against the deletion of a subtree that contains a protected object. It is recommended to enable the setting for all the parent containers/OUs of the protected object, up to the domain level.

  • It isn't necessary to protect the parent OU to protect a user or a group from deletion.

Protection from deletion settings for Microsoft Entra domains are a part of Adaxes configuration. If your restore the configuration from a backup, these settings will also be restored.

Find objects not protected from deletion

  1. Launch Adaxes administration console.

    How

    • On the computer where Adaxes administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. In the Console Tree, expand the Adaxes service node (the icon represents service nodes).

  3. Navigate to Reports / All Reports.

  4. Select one of the following reports:

    • Users / Users not protected from deletion

    • Computers / Computers not protected from deletion

    • Groups / Groups not protected from deletion

    • Groups / Security groups not protected from deletion

    • Organizational Units / OUs not protected from deletion

  5. Generate the report.

Protect/unprotect a single object from deletion

  1. Launch Adaxes administration console.

    How

    • On the computer where Adaxes administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. In the Console Tree, expand the Adaxes service node (the icon represents service nodes).

  3. Expand Managed Domains / <domain>.

  4. Right-click the object you need and then click Properties in the context menu.

  5. In the dialog box that opens, click Advanced.

  6. Enable or disable the Protect from deletion option.

  7. Click OK.

Protect/unprotect multiple objects from deletion

  1. Launch Adaxes administration console.

    How

    • On the computer where Adaxes administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. In the Console Tree, expand the Adaxes service node (the icon represents service nodes).

  3. Expand Managed Domains / <domain>.

  4. Select the objects you need, right-click and then click Add/Modify Property in the context menu.

  5. In the wizard that opens, select the Protect from deletion property.

  6. Click Next.

  7. In the Property value drop-down list, select True to protect or False to unprotect the objects.

  8. Click Finish.

Automatically protect/unprotect objects from deletion

To automatically protect/unprotect objects from deletion, you can use the following approaches:

  • Create a property pattern that will set the Protect from deletion property to True upon object creation.

  • Create a business rule that will set the Protect from deletion property to False after creating objects (e.g. After creating a user).

  • Create a scheduled task that will enable or disable the Protect from deletion option for existing objects based on specific conditions and schedule.

To protect/unprotect an object from deletion using a script, set the adm-ProtectedFromDeletion property of the object to true or false in the script.

Example

The below script protects an object from deletion. In the script:

  • $serviceHost – the host name of the computer where Adaxes service is installed.

  • $objectDN – the distinguished name (DN) of the object to enable protection for. For information on how to get the DN, see Get the DN of a directory object.

Import-Module Adaxes $serviceHost = "localhost" $objectDN = "CN=John Smith,CN=Users,DC=company,DC=com" # Connect to the Adaxes service. $ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace" $service = $ns.GetServiceDirectly($serviceHost) # Bind to the object. $object = $service.OpenObject("Adaxes://$objectDN", $null, $null, 0) # Protect the object from deletion. $object.Put("adm-ProtectedFromDeletion", $true) $object.SetInfo() © Softerra 2022. All rights reserved. Contact us

Tag » Active Directory Protect Against Accidental Deletion