Can't delete OU from AD, IsCriticalSystemObject attribute TRUE - cannot change

I recently took over a contract for a customer where the previous IT apparently did a half-ass job of migrating from SBS Server to Server 2016.

In AD there's an OU called MyBusiness which has two subfolders: SBSComputers and SBSUsers. I've moved all of the computers out of SBSComputers to the top level Computers OU and the same for SBSUsers. The folders are empty.

Now I'm trying to delete the two OU's but they have the isCriticalSystemObject attribute set as TRUE. When I try to set the attribute to FALSE I get the following error:

Operation failed. Error code: 0x2077
Illegal modify operation. Some aspect of the modification is not permitted.
00002077: SvcErr: DSID-03190CD8, problem 5003 (WILL_NOT_PERFORM), data 0

Thanks for any help guys, pulling my hair out with this one!

Solution 1:

Now I'm trying to delete the two OU's but they have the isCriticalSystemObject attribute set as TRUE.

This is because those are the default locations for new computer and user objects in an SBS domain. The fact that you've removed SBS doesn't change the fact that this was set automatically by the SBS install when the domain was created. If you want to delete those OU's then you'll need to change the default location for new computer and user objects.

http://www.expta.com/2009/03/changing-default-users-and-computers.html

Solution 2:

You have to (re)set the default location for new user/computer objects aded to the domani to another container/ou.

Set the OU/CN fpr new computers

C:\> redircmp OU=NewComputerOU,DC=domain,dc=tld

Set the OU/CN fpr new users

C:\> redirusr OU=NeueBenutzerOU,DC=domain,dc=tld

After that change was replicated, the old OUs can be deleted.