When an Active Directory object is deleted, a small portion of the object remains for a specified time so that other domain controllers that are replicating changes become aware of the deletion. By default, only the System account and members of the Administrators group can view the contents of this container. This section describes how to modify the permissions on the CN=Deleted Objects container.
Changing permissions on the Deleted Objects container mignt be necessary if you have enterprise applications or services that bind to Active Directory with a non-System or non-Admin account and poll for directory changes.
This process requires dscals.exe from the Active Directory Application Mode (ADAM) package. This version is an upgrade from the one in the Windows Server 2003 Support Tools and now supports the required capabilities. The ADAM Administration Tools are supported on Windows XP Professional, Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, and Windows Server 2003 DatacenterEdition.
To get and install the ADAM Administration Tools:
From the ADAM Web page, download the ADAM retail package.
Double-click the downloaded file and provide a directory that the archive will be extracted into.
Launch the Active Directory Application Mode Setup Wizard by double-clicking adamsetup.exe, then click Next.
Review and accept the license terms, then click Next.
Select ADAM administration tools only, then click Next.
Review the selections, then click Next.
When Setup has concluded, click Finish.
After ADAM Administration Tools is installed, modify the permissions on the CN=Deleted Objects container:
Log in with a user account that is a member of the Domain Adminis group.
Click Start > All Programs > ADAM > ADAM Tools Command Prompt.
In the Command Prompt, type the following command:
dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /takeownership
Substitute the distinguished name of the Deleted Objects container for your own domain.
Each domain in the forest will have its own Deleted Objects container.
The following output should be displayed:
Owner: Contoso\Domain Admins
Group: NT AUTHORITY\SYSTEM
Access list:
{This object is protected from inheriting permissions from the parent}
Allow BUILTIN\Administrators SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Allow NT AUTHORITY\SYSTEM SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
The command completed successfully
To grant a security principal permission to view the objects in the CN=Deleted Objects container, enter the following command:
dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /g CONTOSO\JaneDoe:LCRP
In this example, the user CONTOSO\JaneDoe has been granted List Contents and Read Property permissions on the container. These permissions are sufficient to allow the user to view the contents of the Deleted Objects container. However, these permissions don't allow the user to make any changes to objects in that container. These permissions are equivalent to the default permissions granted to the Administrators group. By default, only the System account has permission to modify objects in the Deleted Objects container.
The following output should be displayed:
Owner: CONTOSO\Domain Admins
Group: NT AUTHORITY\SYSTEM
Access list:
{This object is protected from inheriting permissions from the parent}
Allow BUILTIN\Administrators SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Allow NT AUTHORITY\SYSTEM SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
Allow CONTOSO\JaneDoe SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
The command completed successfully.
The user CONTOSO\JaneDoe now has permissions to view deleted objects in the CONTOSO domain.