Let nonadministrators view the contents of the Active Directory deleted objects container

This article explains how to change permissions so that nonadministrators can view the Active Directory deleted objects container.

Original KB number:   892806

Summary

Active Directory Domain Services (AD DS) temporarily stores deleted objects in a hidden "Deleted Objects" container. By default, only the System account and members of the Administrators group can view the contents of this container. For example, Administrators can view the contents of the deleted objects container by using the LDAP_SERVER_SHOW_DELETED_OID LDAP command or the Windows PowerShell Get-ADObject command.

This article discusses how to add read permissions on the deleted objects container. You might have to add read permissions on the deleted objects container under the following conditions:

• You have enterprise applications or services that use non-System accounts or non-Administrator accounts to bind to Active Directory.
• These enterprise applications or services poll for directory changes.

More information

When you delete an AD DS object, Active Directory moves the object to the deleted objects container. The object remains in the container for a specified period (tombstonelifetime if AD Recycle bin isn't enabled;tombstonelifetime plus msds-deletedobjectlifetime if AD Recycle Bin is enabled). This action allows time for the deletion to replicate to other domain controllers (DCs).

Example: View deleted objects

A member of the Administrators group can use the following Windows PowerShell command to view the contents of the deleted objects container:

Get-ADObject -Filter {Deleted -eq $True} -IncludeDeletedObjects

This command lists the objects that are currently in the container:

Deleted           : True
DistinguishedName : CN=Deleted Objects,DC=contoso,DC=com
Name              : Deleted Objects
ObjectClass       : container
ObjectGUID        : 280e5943-08cf-498d-b3f1-19a812d07efd

Deleted           : True
DistinguishedName : DC=..Deleted-_msdcs.contoso.com\0ADEL:f6eb3fb7-597a-458b-8b74-2a46066be220,CN=Deleted
                    Objects,DC=contoso,DC=com
Name              : ..Deleted-_msdcs.contoso.com
                    DEL:f6eb3fb7-597a-458b-8b74-2a46066be220
ObjectClass       : dnsZone
ObjectGUID        : f6eb3fb7-597a-458b-8b74-2a46066be220

Deleted           : True
DistinguishedName : DC=@\0ADEL:8daacf6e-12ab-4f5d-b95c-ec834d490580,CN=Deleted Objects,DC=contoso,DC=com
Name              : @
                    DEL:8daacf6e-12ab-4f5d-b95c-ec834d490580
ObjectClass       : dnsNode
ObjectGUID        : 8daacf6e-12ab-4f5d-b95c-ec834d490580

Grant read permissions to the deleted objects container

To modify the permissions on the deleted objects container so that nonadministrators can view this information, use the DSACLS.exe tool. Follow these steps:

1. Sign in to a DC by using a user account that is a member of the Domain Admins group.

2. Open an administrative Command Prompt window, and then run a command that resembles the following example:

   dsacls "CN=Deleted Objects,DC=contoso,DC=com" /takeownership
   

   Note

   In this command, CN=Deleted Objects,DC=Contoso,DC=com is the fully qualified domain name (FQDN) of the deleted objects container for the contoso.com domain. Each domain in the forest has its own deleted objects container.

   This command generates output that resembles the following example:

   Owner: Contoso\Domain Admins  
   Group: NT AUTHORITY\SYSTEM  
   Access list:  
   {This object is protected from inheriting permissions from the parent}  
   Allow BUILTIN\Administrators SPECIAL ACCESS  
      LIST CONTENTS  
      READ PROPERTY  
   Allow NT AUTHORITY\SYSTEM SPECIAL ACCESS  
      DELETE  
      READ PERMISSIONS  
      WRITE PERMISSIONS  
      CHANGE OWNERSHIP  
      CREATE CHILD  
      DELETE CHILD  
      LIST CONTENTS  
      WRITE SELF  
      WRITE PROPERTY  
      READ PROPERTY  
   The command completed successfully
   

3. To grant a security principal permission to view the objects in the deleted objects container, run a command that resembles the following command:

   dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /g CONTOSO\EricLang:LCRP
   

   Note

   In this command, CONTOSO\EricLang represents the security principal to which you want to grant access, and LCRP represents the permissions that you want to grant (List Children and Read Property).

   This command generates output that resembles the following example:

   Owner: CONTOSO\Domain Admins  
   Group: NT AUTHORITY\SYSTEM  
   Access list:  
   {This object is protected from inheriting permissions from the parent}  
   Allow BUILTIN\Administrators SPECIAL ACCESS  
      LIST CONTENTS  
      READ PROPERTY  
   Allow NT AUTHORITY\SYSTEM SPECIAL ACCESS  
      DELETE  
      READ PERMISSIONS  
      WRITE PERMISSIONS  
      CHANGE OWNERSHIP  
      CREATE CHILD  
      DELETE CHILD  
      LIST CONTENTS  
      WRITE SELF  
      WRITE PROPERTY  
      READ PROPERTY  
   Allow CONTOSO\EricLang SPECIAL ACCESS  
      LIST CONTENTS  
      READ PROPERTY  
   The command completed successfully
   

In this example, the user ("CONTOSO\EricLang") can view the contents of the deleted objects container, but can't make any changes to objects in the container. These permissions are equivalent to the default permissions that are granted to the Administrators group.

References

• Enable and use Active Directory Recycle Bin
• Get-ADObject
• Tombstone Lifetime and Deleted-Object Lifetime
• LDAP_SERVER_SHOW_DELETED_OID control code
• Dsacls