Click Apply at Advanced Security Settings. Then, review the information when the Windows Security window displays and select Yes to continue:
Click OK to close the Advanced Security Settings window and continue OK to close OU Properties .
Next, apply the same level of authorization to the Container section containing the protected OU . To do this, right-click on the Container and select Properties:
Select the Security tab in the Container Properties window . Then, click Add , type Everyone and OK . In the Permissions for Everyone section , check the Deny checkbox of Delete All Child Objects, then click Apply :
Then close all the windows of this section. When deleting any arbitrary OU , the system will display an error message as shown below:
To remove this protection, delete the Deny ACEs assigned to the Everyone group.
On the other hand, if you want to use the DSACLS function to protect the OU object, you can apply:
dsacls "ou = Company Users, dc = mydomain, dc = com" / d Everyone: SDDT
If you want to protect the entire OU structure, you can use the command:
for / f "tokens = *"% i in ('dsquery ou -limit 0') due to dsacls% i / d Everyone: SDDT
Note that the above command will apply to the Organizational Unit EVERY in the Active Directory domain. If you want to apply different security levels, change the dsquery command.
Good luck!