Delegation of Active Directory Recycle Bin

While working on an AD 2008 R2 upgrade project, I was asked by my customer whether Active Directory Recycle Bin could be delegated. They already had a delegated OU administration model for managing accounts, and wanted it to also include the recovery of deleted objects. I did some research and found a vague reference that AD RB could be delegated, but no specific information on how to actually do it. In fact, the general consensus was that Domain Admin was the minimum permissions required to restore deleted objects and that AD RB delegation wasn't possible. So, I decided to experiment in my lab and discovered a relatively simple way to delegate the recovery of deleted objects...

• Logon as Domain Admin and take ownership of Deleted Objects container:
  dsacls “CN=Deleted Objects,DC=domain,DC=com” /takeownership
• Grant delegated user/group permissions (List, Read, Write) to view and restore deleted objects:
  dsacls “CN=Deleted Objects,DC=domain,dc=com” /g domain\accountname:LCRPWP
• Using ADUC, grant user/group rights to reanimate tombstone:
  • Right-click domain root and select Properties
  • On the Security tab, click Advanced
  • Click Add and select user/group account
  • Allow the Reanimate Tombstones permission and click OK

A couple of additional notes worth mentioning…
Delegated permissions only seem to apply to objects deleted after configuration; objects deleted before configuration must be restored by Domain Admin. Also, delegated administrators must have permissions on the source/target OU where deleted objects will be restored. In my customer's case, they already had a well-defined OU administration model. So, while all delegated administrators could view AD RB, they could only restore objects deleted from their own OU. Perfect! RjZ