Share via

How to Delegate the Restoration of Objects from Active Directory Recycle Bin

  • Article

Active Directory Recycle Bin is a great feature that was introduced with Active Directory Forest Functional Level Windows Server 2008 R2. It allows restoring Active Directory objects with preserving all link-valued and non-link-valued attributes without introducing a downtime or requiring a backup.

By default, when an Active Directory object was accidentally removed, only a Domain administrator can restore it. This can be heavy in term of administration for Domain Administrators in medium and large sized companies.

This Wiki article shows how this can be delegated for a decentralized management of object restore operations in Active Directory.

Delegation of permissions on Deleted Objects Container:

The following permissions need to be delegated to the target user / group on Deleted Objects Container:

  • List the child objects of the object
  • Read a property
  • Write to a property

This could be achieved by:

  • Taking ownership of Deleted Objects Container using the following command (You will need to update the Distinguished Name of Deleted Objects container to be the one of your Domain):

dsacls “CN=Deleted Objects,DC=contoso,DC=com” /takeownership
  • Running the following command (You will need to update the Distinguished Name of Deleted Objects container to be the one of your Domain. Also, you need to update the account name to be the one of your target user / group)

dsacls “CN=Deleted Objects,DC=contoso,DC=com” /g CONTOSO\sAMAccountName:LCRPWP

Delegation of Reanimate tombstones permission on the Domain level:

You need to delegate Reanimate tombstones permission on the Domain level and make it applied to This object and all descendant objects. You can the Security tab in your Domain properties to do that:

Delegation of the Creation and Write all properties permission on the objects to manage their restore:

You can delegate the restore of Active Directory objects on your Domain level or on specific Organizational Units. For that, the user / group that will manage the restore operation will need to have the following permissions on the objects to manage:

  • Creation permission

  • Write all properties permission

Important: After the delegation of the permissions described in this Section, the user / group in charge of the restore operation would be able to restore accounts removed after the delegation. The ones removed before can be restored only by a Domain Administrator.

Delegation of Administration in Active Directoryhttp://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx