Changing Permissions on the CN=Deleted Objects Container

When an Active Directory object is deleted, a small portion of the object remains for a specified time
so that other domain controllers that are replicating changes become aware of the deletion. By
default, only the System account and members of the Administrators group can view the contents of
this container. This section describes how to modify the permissions on the CN=Deleted Objects
container.

Changing permissions on the Deleted Objects container might be necessary if you have enterprise
applications or services that bind to Active Directory with a non-System or non-Admin account and
poll for directory changes.

This process requires dscals.exe from the Active Directory Application Mode (ADAM) package. This
version is an upgrade from the one in the Windows Server 2003 Support Tools and now supports the
required capabilities. The ADAM Administration Tools are supported on Windows XP Professional,
Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, and Windows
Server 2003 Datacenter Edition.

To get and install the ADAM Administration Tools:

Download ADAM Administration tools and install

Link: - http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-
2A2A57B5C8E4&displaylang=en

After the ADAM Administration Tools are installed, modify the permissions on the CN=Deleted
Objects container:

1. Log in with a user account that is a member of the Domain Admins group.
2. Click Start > All Programs > ADAM > ADAM Tools Command Prompt.
3. At the command prompt, enter the following command:
dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /takeownership

Note: - Each domain in the forest will have its own Deleted Objects container.

To grant a security principal permission to view the objects in the CN=Deleted Objects container,
enter the following command:
dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /g CONTOSO\JaneDoe:LCRP

In this example, the user CONTOSO\JaneDoe has been granted List Contents and Read Property
permissions on the container. These permissions are sufficient to allow the user to view the contents
of the Deleted Objects container. However, these permissions don’t allow the user to make any
changes to objects in that container. These permissions are equivalent to the default permissions
granted to the Administrators group. By default, only the System account has permission to modify
objects in the Deleted Objects container.

The user CONTOSO\JaneDoe now has permissions to view deleted objects in the CONTOSO domain.