With each new version of the Windows Server Operating System there are new possibilities for automation to help make the administrator’s job easier. Automation brings increased efficiencies but also brings the possibility of bigger mistakes. Additionally no amount of automation can protect us against human error. This is very true when working with Active Directory.

When working with Active Directory it is possible to include an extra account to delete or to get distracted and select the wrong account to delete for instance. Good administrators will double check everything and have procedures to ensure this sort of thing does not happen. Eventually a mistake is made and the wrong account is deleted. There is another scenario where the act is a deliberate and malicious action. This case is more difficult to guard against as if you do not trust your administrators, who can you trust ?

It would be better if the system prevented this sort of mistake in the first place. It is possible to use the delegation of permissions on the Active Directory to control who has permissions to delete accounts. However this is performed, at some point one or more administrators will have the permissions to perform a delete. There is a small but finite chance that at some stage a mistake will be made and an account will deleted that should not have been.