When an Active Directory object is deleted, a small part
of the object stays in the deleted objects container for a specified time. It stays there so that other domain
controllers that are replicating changes will become aware of the deletion. By
default, only the System account and members of the Administrators group can view the contents of this container. This article describes how to modify the
permissions on the deleted objects container.
You may have to modify the permissions on the deleted objects container if the following conditions are true:
- You have
enterprise applications or services that bind to Active Directory with a
non-System account or a non-Administrator account.
- These enterprise applications or services poll for directory changes.
To modify the permissions on the deleted objects container
so that non-administrators can view this container, use the
DSACLS.exe program. The DSACLS.exe program is included with the Active Directory Application Mode
(ADAM) Administration Tools.
To obtain and install the ADAM
Administration Tools, follow these steps:
- Download the ADAM retail package.
The following
file is available for download from the Microsoft Download
Center:
Collapse this imageExpand this image
(http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en)
For more information about how to
download Microsoft Support files, click the following article number to view
the article in the Microsoft Knowledge Base: 119591
(http://support.microsoft.com/kb/119591/
)
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help prevent
any unauthorized changes to the file.
Note This version of the ADAM
Administration Tools is an upgrade from the version in the Windows Server
2003 Support Tools. This version of the ADAM
Administration Tools is supported by Microsoft Windows Server
2003, Standard Edition; Microsoft Windows Server 2003, Enterprise Edition; Microsoft Windows
Server 2003, Datacenter Edition; and Microsoft Windows XP Professional. - To extract the contents of the file that you downloaded in
step 1, double-click the file, and then specify a directory when you are
prompted.
- In the directory that you extracted the file to in step 2,
double-click the Adamsetup.exe program to start the Active Directory
Application Mode Setup Wizard, and then click Next.
- Review and accept the license terms, and then click
Next.
- Select ADAM administration tools only, and
then click Next.
- Review your selections, and then click
Next.
- When Setup has concluded, click
Finish.
After you have installed the ADAM Administration Tools, you can modify
the permissions on the deleted objects container. To do this, follow these
steps:
- Log on with
a user account that is a member of the Domain Admins group.
- Click Start, point to All
Programs, point to ADAM, and then click
ADAM Tools Command Prompt.
- At the command prompt, type a command that is similar to the following example:
dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /takeownership
Notes- When you type this command, use the name of the deleted objects container for
your domain.
- Each domain in the forest will have its own deleted objects
container.
Output that is similar to the following example should be displayed:Owner: Contoso\Domain Admins
Group: NT AUTHORITY\SYSTEM
Access list:
{This object is protected from inheriting permissions from the parent}
Allow BUILTIN\Administrators SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Allow NT AUTHORITY\SYSTEM SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
The command completed successfully
- To grant a security principal permission to view the
objects in the deleted objects container, type a command that is similar to the following example:
dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /g CONTOSO\EricLang:LCRP
Output that is similar to the following example should be displayed:Owner: CONTOSO\Domain Admins
Group: NT AUTHORITY\SYSTEM
Access list:
{This object is protected from inheriting permissions from the parent}
Allow BUILTIN\Administrators SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Allow NT AUTHORITY\SYSTEM SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
Allow CONTOSO\EricLang SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
The command completed successfully
Article ID: 892806 - Last Review: November 1, 2006 - Revision: 2.2
APPLIES TO
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
Back to the top
