Protect/unprotect objects from deletion

Adaxes allows you to protect objects from accidental deletion. Protected objects cannot be deleted by any user, even if they have sufficient permissions. There is a difference between how protection from accidental deletion works for Active Directory objects and Microsoft Entra objects.

  • Active Directory

  • Microsoft Entra ID

  • Protected objects cannot be deleted using Adaxes or any other tools, including Active Directory Users and Computers and Active Directory Administrative Center.

  • Protected objects cannot be deleted only from within Adaxes. You can still delete them via Microsoft Entra portal or any other tools.

  • Protection from deletion is not provided against the deletion of a subtree that contains a protected object. It is recommended to enable the setting for all the parent containers/OUs of the protected object, up to the domain level.

  • It isn't necessary to protect the parent OU to protect a user or a group from deletion.

Protection from deletion settings for Microsoft Entra domains are a part of Adaxes configuration. If your restore the configuration from a backup, these settings will also be restored.

Find objects not protected from deletion

  1. Launch Adaxes Administration console.

     How { #collapse1}

    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. In the Console Tree, expand the Adaxes service node (the icon represents service nodes).

  3. Navigate to Reports / All Reports.

  4. Select one of the following reports:

    • Users / Users not protected from deletion

    • Computers / Computers not protected from deletion

    • Groups / Groups not protected from deletion

    • Groups / Security groups not protected from deletion

    • Organizational Units / OUs not protected from deletion

  5. Generate the report.

Protect/unprotect a single object from deletion

  1. Launch Adaxes Administration console.

     How { #collapse1}

    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. In the Console Tree, expand the Adaxes service node (the icon represents service nodes).

  3. Expand Managed Domains / <domain>.

  4. Right-click the object you need and then click Properties in the context menu.

  5. In the dialog box that opens, click Advanced.

  6. Enable or disable the Protect from accidental deletion option.

  7. Click OK.

Protect/unprotect multiple objects from deletion

  1. Launch Adaxes Administration console.

     How { #collapse1}

    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. In the Console Tree, expand the Adaxes service node (the icon represents service nodes).

  3. Expand Managed Domains / <domain>.

  4. Select the objects you need, right-click and then click Add/Modify Property in the context menu.

  5. In the wizard that opens, select the Protect from accidental deletion property.

  6. Click Next.

  7. In the Property value drop-down list, select True to protect or False to unprotect the objects.

  8. Click Finish.

Automatically protect/unprotect objects from deletion

To automatically protect/unprotect objects from deletion, you can use the following approaches:

  • Create a property pattern that will set the Protect from accidental deletion property to True upon object creation.

  • Create a business rule that will set the Protect from accidental deletion property to False after creating objects (e.g. After creating a user).

  • Create a scheduled task that will enable or disable the Protect from accidental deletion option for existing objects based on specific conditions and schedule.

To protect/unprotect an object from deletion using a script, set the adm-ProtectedFromDeletion property of the object to true or false in the script.

 Example

The below script protects an object from deletion. In the script:

  • $serviceHost – the host name of the computer where Adaxes service is installed.

  • $objectDN – the distinguished name (DN) of the object to enable protection for. For information on how to get the DN, see Get the DN of a directory object.

[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$serviceHost = "localhost"
$objectDN = "CN=John Smith,CN=Users,DC=company,DC=com"

# Connect to the Adaxes service.
$ns = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$service = $ns.GetServiceDirectly($serviceHost)

# Bind to the object.
$object = $service.OpenObject("Adaxes://$objectDN", $null, $null, 0)

# Protect the object from deletion.
$object.Put("adm-ProtectedFromDeletion", $true)
$object.SetInfo()
© Softerra 2022. All rights reserved.
Contact us