User access to deleted objects container

a1 26 Reputation points
2023-11-13T18:37:05.0766667+00:00

Hey all,

my question is about deleted objects container.

Is it possible to check if certain user has permission to read information from deleted objects container on Active Directory using LDAP and ADSI (in case that I don't have a domain admin account)?

because as far as I tested, it seems like if user doesn't have permissions , the LDAP search query returns 0 objects from deleted objects container, thus I can't understand if it's a permissions issue or the container is empty.

and more general, is it possible to check if a user have permissions to read all objects from domain, using LDAP query, in case that I don't have a domain admin account?

Thanks you for your help :)

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,402 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Manish Tiwari 180 Reputation points
    2023-11-14T08:05:02.6566667+00:00

    Your question about checking a user's permissions to access the Deleted Objects container in Active Directory (AD) without domain admin privileges involves a couple of challenges. Here are some considerations and possible approaches:

    Understanding Deleted Objects Container Access:

    • By default, only members of the Domain Admins or Enterprise Admins groups have access to the Deleted Objects container in AD. Other users do not have permission to view this container unless explicitly granted.

    Using LDAP and ADSI to Check Access:

    • You can use LDAP and ADSI scripts or queries to check the permissions, but these scripts will only be effective if the executing account has sufficient permissions to view the ACLs (Access Control Lists) of the objects in question.
    • Without domain admin privileges, you might not be able to retrieve detailed ACL information for certain objects, including the Deleted Objects container.

    Checking for Deleted Objects:

    • If you're getting zero objects from an LDAP query against the Deleted Objects container, it could indeed be due to either the container being empty or lack of permissions. Without appropriate access, it's challenging to distinguish between these two scenarios.

    Checking General Read Permissions:

    • To check if a user has read permissions on all objects in the domain, you can attempt an LDAP search query for a broad range of objects. However, this method is not foolproof as it does not explicitly check permissions but rather infers them based on the success or failure of the query.

    Scripting Approach:

    • You might consider writing a script that attempts to read properties of various objects across different OUs in the domain. This can give you a general sense of the access level of the user account under which the script is running.

    Event Logs and Auditing:

    • If AD auditing is enabled, you could check the security logs on the domain controllers to see if any access denied errors are logged when the queries are made. This requires access to the logs, which might not be available without admin rights.
    1. Asking for Admin Assistance:
    • The most straightforward approach would be to ask a domain administrator to check the ACLs for you or provide a report on the permissions of the user account in question.
    0 comments No comments

  2. Gary Reynolds 9,416 Reputation points
    2023-11-15T09:43:55.5566667+00:00

    Have a look at this article which explains how to delegate the permissions to restore objects https://nettools.net/how-to-delegate-object-restoration-rights/. Also have a look at this article which lets you see the effective rights of a user - https://nettools.net/how-to-find-active-directory-effective-rights/. Also remember to see the deleted object using LDAP you need to include the LDAP_SERVER_SHOW_DELETED_OID control in the query, see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3c5e87db-4728-4f29-b164-01dd7d7391ea?redirectedfrom=MSDN

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.