Share via

restore ad objects

Nitzan Kravzov 5 Reputation points
2025-03-03T11:54:43.9533333+00:00

Hello,

How do I give delegation for domain user to restore objects from ad?

I used the following command:

dsacls dc=<your domain>,dc=<com> /g "restore_objects:ca;Reanimate Tombstones"

dsacls "cn=deleted objects,dc=<your domain>,dc=<com>" /takeownership

dsacls "cn=deleted objects,dc=<your domain>,dc=<com>" /g "restore_objects:LCRP"

https://nettools.net/how-to-delegate-object-restoration-rights/

domain admins are able to restore object

domain users in the group: restore_objects are able to restore object from recycle bin only if the object is in ou that Protected from accidental deletion is unchecked, they receive error "access is denied".

Thanks

Windows for business Windows Client for IT Pros Directory services Active Directory

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-03-25T09:13:54.9566667+00:00

    Hello,

    Thank you for posting in Q&A forum.

    In order to allow standard user to restore AD objects, the following permissions are required:

    1. Delegated User/group must have “Create” and “Delete” access on desired OU for user and computer descendant objects.
    2. Delegate “Reanimate Tombstones” access to the delegated user/group.
    3. The same delegated user/group should also have access for “Read Property and List” on Deleted Objects container in the Domain Naming context.

    I hope the information above is helpful.

    Best regards

    Zunhui

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.