Delegating the Recovery of AD objects could be a pain.

There are several permissions a user needs to have to be able to undelete objects from the recycle bin:

  • Reanimate Tombstones extended right in the domain where objects are to be restored.
  • Write permission on each object attribute to be updated during the restore.
  • Create All Child Objects permission on the destination container.
  • List Contents permission on the Deleted Objects container in the domain  where objects are to be restored.

For more information on how to grant List Contents permission to a non-administrator account, see Microsoft Knowledge Base article 892806 “How to let non-administrators view the Active Directory deleted objects container in Windows Server 2003 and in Windows 2000 Server” at http://support.microsoft.com.

The problem here is that once an object is deleted everyone can undelete it to the OU he has permissions to.

An additional security risk can be introduced by granting this permission, because it allows a user to restore an account that may have a level of access greater than that of the user. By restoring such an account, the user in effect gains control of that account. This is because the LDAP API does not restore the backed up password, and so the user can set the initial password on the account.

The new Web Portal of Recovery Manager for AD (RMAD) from Dell Software takes care of this problem. You do not need to set any native premissions – everything is managed by RMAD and users can only recover objects where they originally had access to.

This gives central AD administrators the option to delegate this task to site admins or helpdesk without giving them more rights than needed.