Home/ Questions/Q 7626809
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T05:22:31+00:00

I have a C# (Visual Studio 2010) application to manage objects in Microsoft Active

  • 0

I have a C# (Visual Studio 2010) application to manage objects in Microsoft Active Directory. When I want to move an organization unit in my application, the software tells me, that I have insufficient priviledges to do that. That’s because many objects in our directory are protected from accidental deletion.

Now I would like to check my application if an object is protected. If so, it should deactivate this protection, then move the object to another ou and finally set the protection again.

I’ve tried

// entry is a DirectoryEntry-Object
entry.Properties["ProtectedFromAccidentalDeletion"].Value = false;

but that gives me an exception.

In Microsoft Powershell you can do it that way:

Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

Is it possible to realize this in C#, too?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You need to add two entries to the ACL for the object:

    • Deny Everyone Delete
    • Deny Everyone Delete Tree

    I just dug up some really old code to do this that should work:

    Dim currentOU as DirectoryEntry ' This is the object you want to protect
Dim deleteAce As New ActiveDirectoryAccessRule(New NTAccount("Everyone"), ActiveDirectoryRights.Delete, AccessControlType.Deny)
Dim deleteSubtreeAce As New ActiveDirectoryAccessRule(New NTAccount("Everyone"), ActiveDirectoryRights.DeleteTree, AccessControlType.Deny)

Dim currentACL As ActiveDirectorySecurity = currentOU.ObjectSecurity

Dim deleteDeny As Boolean = False
Dim deleteSubtreeDeny As Boolean = False

For Each ace As ActiveDirectoryAccessRule In currentACL.GetAccessRules(True, False, GetType(NTAccount))
    If ace.IdentityReference.Value = "Everyone" Then
        If ace.ActiveDirectoryRights = ActiveDirectoryRights.Delete Then
            deleteDeny = True
        ElseIf ace.ActiveDirectoryRights = ActiveDirectoryRights.DeleteTree Then
            deleteSubtreeDeny = True
        End If
    End If
Next

If Not (deleteDeny AndAlso deleteSubtreeDeny) Then
    currentACL.AddAccessRule(deleteAce)
    currentACL.AddAccessRule(deleteSubtreeAce)

    currentOU.CommitChanges()

    Console.WriteLine("Protected: " & currentOU.Path)
End If
    • 0