Active Directory Recycle Bin is a great feature that was introduced with Active
Directory Forest Functional Level Windows Server 2008 R2. It allows restoring Active Directory objects with preserving all link-valued and non-link-valued attributes without introducing a downtime or requiring a backup.
By default, when an Active Directory object was accidentally removed, only a Domain administrator can restore it. This can be heavy in term of administration for Domain Administrators in medium and large sized companies.
This Wiki article shows how this can be delegated for a decentralized management of object restore operations in Active Directory.
Delegation of permissions on Deleted Objects Container:
The following permissions need to be delegated to the target user / group on
Deleted Objects Container:
This could be achieved by:
dsacls “CN=Deleted Objects,DC=contoso,DC=com” /takeownership
dsacls “CN=Deleted Objects,DC=contoso,DC=com” /g CONTOSO\sAMAccountName:LCRPWP
Delegation of Reanimate tombstones permission on the Domain level:
You need to delegate Reanimate tombstones
permission on the Domain level and make it applied to This object and all descendant objects. You can the
Security tab in your Domain properties to do that:
Delegation of the Creation and Write all properties permission on the objects to manage their restore:
You can delegate the restore of Active Directory objects on your Domain level or on specific
Organizational Units. For that, the user / group that will manage the restore operation will need to have the following permissions on the objects to manage:
Important: After the delegation of the permissions described in this Section, the user / group in charge of the restore operation would be able to restore accounts removed
after the delegation. The ones removed before can be restored only by a Domain Administrator.