How to Delegate Object Restoration Rights in Active Directory
Delegating object restoration rights is a best practice to ensure that operational teams can perform necessary restorations without having full Domain administrative privileges. This approach reduces the risk of accidental or malicious changes to the AD environment.
Since the regular delegation console does not support this specific permission, We will need to use advanced security options or the DCACLS command. Below, we outline is DCACLS methods.
Step 1: Enable AD Recycle Bin
First, Enable the AD Recycle Bin.
#Check the AD Recycle Bin feature enabled or not.
Get-ADOptionalFeature -Identity 'Recycle Bin Feature'
#Please run below command on the domain Admins rights where RSAT Tool is installed
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target <your domain>
# Note: After enabled Recycle Bin feature which cannot disable it again.!!!
Step 2: Create a Restoration Group
Create a new AD group named example ‘Restore_Objects’. This group can be local, global, or universal based on your requirements.
Step 3: Set Restoration Rights at the Domain Root
Open a command prompt with Domain administrator rights (where RSAT Tool is installed) Run this command to set restoration rights at the domain root:
#Please Change your Root domain name DN dc=<your domain>,dc=<com>
dsacls dc=<your domain>,dc=<com> /g "restore_objects:ca;Reanimate Tombstones"
Step 4: Take Ownership of the Deleted Objects Container
Run the following command to take ownership of the Deleted Objects container:
dsacls "CN=Deleted Objects,dc=<your domain>,dc=<com>" /takeownership
Step 5: Assign Permissions to the Deleted Objects Container
Assign the Restore_Objects group rights to list and read properties of objects in the Deleted Objects container:
领英推荐
dsacls "cn=deleted objects,dc=<your domain>,dc=<com>" /g "restore_objects:LCRP"
Step 6: Assign Write Permissions to the OU or Domain
Depending on your needs, assign write permissions at the root of the domain or a specific OU. This allows the Restore_Objects group to restore objects:
#Please Change your Root domain name DN dc=<your domain>,dc=<com>
#or OU's DN Based on need.
dsacls "ou=<your ou>,dc=<your domain>,dc=<com>" /I:T /g "restore_objects:WPCC"
Summary
? Enable AD Recycle Bin: Ensures you can restore deleted objects.
? Create Restore_Objects Group: Delegates restoration rights.
? Set Root Permissions: Grants necessary access at the domain level.
? Take Ownership of Deleted Objects Container: Allows permission changes.
? Assign Permissions to Deleted Objects Container: Grants listing and reading rights.
? Assign Write Permissions: Enables object restoration.
If you found this article useful, please give us a thumbs up, share it with your colleagues, and don’t forget to like it! Your support helps me create more helpful content.