A.0 Changing Permissions on the CN=Deleted Objects Container

When an Active Directory object is deleted, a small portion of the object remains for a specified time so that other domain controllers that are replicating changes become aware of the deletion. By default, only the System account and members of the Administrators group can view the contents of this container. This section describes how to modify the permissions on the CN=Deleted Objects container.

Changing permissions on the Deleted Objects container might be necessary if you have enterprise applications or services that bind to Active Directory with a non-System or non-Admin account and poll for directory changes.

This process requires dscals.exe from the Active Directory Application Mode (ADAM) package. This version is an upgrade from the one in the Windows Server 2003 Support Tools and now supports the required capabilities. The ADAM Administration Tools are supported on Windows XP Professional, Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, and Windows Server 2003 Datacenter Edition.

To get and install the ADAM Administration Tools:

  1. From the ADAM Web page, download the ADAM retail package.

  2. Double-click the downloaded file and provide a directory to extract the archive into.

  3. Launch the Active Directory Application Mode Setup Wizard by double-clicking adamsetup.exe, then click Next.

  4. Review and accept the license terms, then click Next.

  5. Select ADAM administration tools only, then click Next.

  6. Review the selections, then click Next.

  7. When Setup has concluded, click Finish.

After the ADAM Administration Tools are installed, modify the permissions on the CN=Deleted Objects container:

  1. Log in with a user account that is a member of the Domain Admins group.

  2. Click Start > All Programs > ADAM > ADAM Tools Command Prompt.

  3. At the command prompt, enter the following command:

    dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /takeownership
    

    Substitute the distinguished name of the Deleted Objects container for your own domain.

    Each domain in the forest will have its own Deleted Objects container.

    The following output should be displayed:

    Owner: Contoso\Domain Admins
      Group: NT AUTHORITY\SYSTEM
      Access list:
      {This object is protected from inheriting permissions from the parent}
      Allow BUILTIN\Administrators  SPECIAL ACCESS
                                  LIST CONTENTS
                                  READ PROPERTY
      Allow NT AUTHORITY\SYSTEM     SPECIAL ACCESS
                                  DELETE
                                  READ PERMISSONS
                                  WRITE PERMISSIONS
                                  CHANGE OWNERSHIP
                                  CREATE CHILD
                                  DELETE CHILD
                                  LIST CONTENTS
                                  WRITE SELF
                                  WRITE PROPERTY
                                  READ PROPERTY
    The command completed successfully
    
  4. To grant a security principal permission to view the objects in the CN=Deleted Objects container, enter the following command:

    dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /g CONTOSO\JaneDoe:LCRP
    

    In this example, the user CONTOSO\JaneDoe has been granted List Contents and Read Property permissions on the container. These permissions are sufficient to allow the user to view the contents of the Deleted Objects container. However, these permissions don’t allow the user to make any changes to objects in that container. These permissions are equivalent to the default permissions granted to the Administrators group. By default, only the System account has permission to modify objects in the Deleted Objects container.

    The following output should be displayed:

      Owner: CONTOSO\Domain Admins
    Group: NT AUTHORITY\SYSTEM
      Access list:
      {This object is protected from inheriting permissions from the parent}
      Allow BUILTIN\Administrators  SPECIAL ACCESS
                                  LIST CONTENTS
                                  READ PROPERTY
    Allow NT AUTHORITY\SYSTEM     SPECIAL ACCESS
                                  DELETE
                                  READ PERMISSONS
                                  WRITE PERMISSIONS
                                  CHANGE OWNERSHIP
                                  CREATE CHILD
                                  DELETE CHILD
                                  LIST CONTENTS
                                  WRITE SELF
                                  WRITE PROPERTY
                                  READ PROPERTY
    Allow CONTOSO\JaneDoe         SPECIAL ACCESS
                                  LIST CONTENTS
                                  READ PROPERTY
    The command completed successfully.
    

    The user CONTOSO\JaneDoe now has permissions to view deleted objects in the CONTOSO domain.