If you went ahead and created some of your own OUs as part of the previous exercise, then you probably noticed the little checkbox that appears and is automatically checked whenever you create a new OU. This checkbox is called Protect container from accidental deletion. Sounds like a good thing, right? But what does this checkbox really do?
Leaving this option selected when creating a new OU means that you won't be able to delete the OU without some extra effort. This applies even to domain administrators. As an example, I have just created a new OU called HR, but now I want to delete this new OU. It should be a simple matter of right-clicking and selecting Delete, right? But when I do that, I get the following error message:
Whoops, that's a problem. This is something you will often encounter when trying to delete OUs that have been created by other administrators, because usually everyone leaves that accidental deletion checkbox enabled whenever they create new OUs.
If you are really sure that you want to delete this OU, here are the extra steps you will need to take in order to accomplish that deletion. We essentially just have to clear out the permission setting on the OU that is currently blocking our ability to delete it, but where do I find the permission settings for an OU? Inside ADUC, these permissions are hidden by default. Open up ADUC and click on the View menu, then choose the option for Advanced Features. This option enables some additional screens and information inside ADUC. Regarding our OU deletion process, what it enables is additional tabs inside each OU's Properties page.
Now that Advanced Features are enabled, I can right-click on my HR OU, and go into Properties, and I now have access to a tab called Security (this tab did not exist prior to enabling Advanced Features):
You can see that the top listing inside this OU is a specification for Everyone to have Special permissions. Go ahead and click on the Advanced button, and you can see that the special permission it is talking about is a big fat Deny rule that applies to Everyone. This setting is the thing that is currently blocking us from being able to delete the HR OU:
Simply select that Deny rule (if not already selected), and click the Remove button. By removing this special permission from the HR OU, you will find that you can now successfully delete the HR OU with no problems whatsoever.