Protecting Centrify Zones from accidental deletion on Active Directory

If you have been using Centrify for some time, Centrify store Zones and other objects within the Active Directory (AD) or OU. One question always surface, how to protect the objects from accidental deletion. There are 2 ways. The first way is the easiest way.

Method 1: (via Manual Way to disable ‘accidental deletion’ for specific AD object only):

  1. Ask your System Administrator or OU Administrator to open up the “Active Directory Users and Computers” application.
  2. 2Navigate to your intended AD object (or any AD object like your ‘Zone’).
  3. 3) Right-click on your intended AD object, and select ‘Properties’.
  4. 4) Click on the ‘Object’ tab.
  5. 5) Ensure to check the checkbox of ‘Protect object from accidental deletion’.
  6. 6) Click the ‘Apply’ and then the ‘Ok’ button to confirm the changes.

Method 2: (via Powershell to disable ‘accidental deletion for all objects under specified OU ):

1) Ask your System Administrator to open up the ‘Power Shell’ application.

2) For the command below modify the ‘distingushedName’ (DN name) so that it points to the OU relevant to your domain. The below command will set this for all objects in the specified OU:

    Powershell: Get-ADobject -Filter * -SearchBase “{DN_Name}” | Set-adobject -ProtectedFromAccidentalDeletion $true

Example Command (for centrify  ‘Zone’ OU):: Get-ADobject -Filter * -SearchBase “CN=Zones,CN=Centrify,CN=Program Data,DC=win16org22,DC=pmm” | Set-adobject -ProtectedFromAccidentalDeletion $true

(Take Note; In order to attain the DN name, Right-click on your intended AD object, > select ‘Properties > and Click on the ‘Attribute Editor’ tab > Click on the ‘distinguishedName’ column > Copy the DN name and paste it in the PowerShell command specified above)

(Take Note: This creates a “deny” for deletion of all the objects under the specified OU. Now whoever tries to delete this will generate an event. Hence, the user will have to remove this permission before the object can be deleted.)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.