There is a setting in AD called "Protect object from accidental deletion" that is meant to do what it says, keep Admins from doing an oops (or an oh s*** perhaps?). It works not by setting a detectable attribute value, but by placing special deny access rights on the object.

We have a need to detect this so the AD Driver does not try to delete them. This is mainly to prevent false errors as it should not be able to be deleted even by the driver. Even Powershell is supposed to be unable to delete. But there is a need to delete unused accounts automatically, and it would be nice to know who to skip.

Is it possible to read ACLs of an AD Object and find the specific ones mentioned in the URL? It would be better to detect it up front, then try to figure out if the error returned is valid, or indicates a problem deleting a user who should be deletable (is that a word?).