Your question about checking a user's permissions to access the Deleted Objects container in Active Directory (AD) without domain admin privileges involves a couple of challenges. Here are some considerations and possible approaches:
Understanding Deleted Objects Container Access:
- By default, only members of the Domain Admins or Enterprise Admins groups have access to the Deleted Objects container in AD. Other users do not have permission to view this container unless explicitly granted.
Using LDAP and ADSI to Check Access:
- You can use LDAP and ADSI scripts or queries to check the permissions, but these scripts will only be effective if the executing account has sufficient permissions to view the ACLs (Access Control Lists) of the objects in question.
- Without domain admin privileges, you might not be able to retrieve detailed ACL information for certain objects, including the Deleted Objects container.
Checking for Deleted Objects:
- If you're getting zero objects from an LDAP query against the Deleted Objects container, it could indeed be due to either the container being empty or lack of permissions. Without appropriate access, it's challenging to distinguish between these two scenarios.
Checking General Read Permissions:
- To check if a user has read permissions on all objects in the domain, you can attempt an LDAP search query for a broad range of objects. However, this method is not foolproof as it does not explicitly check permissions but rather infers them based on the success or failure of the query.
- You might consider writing a script that attempts to read properties of various objects across different OUs in the domain. This can give you a general sense of the access level of the user account under which the script is running.
Event Logs and Auditing:
- If AD auditing is enabled, you could check the security logs on the domain controllers to see if any access denied errors are logged when the queries are made. This requires access to the logs, which might not be available without admin rights.
- Asking for Admin Assistance:
- The most straightforward approach would be to ask a domain administrator to check the ACLs for you or provide a report on the permissions of the user account in question.