Enable rights over the AD Recycle Bin
Gain insight on how to control user's access to the Active Directory Recycle Bin and enable corresponding user rights.
Written by Neil Langston
Updated at September 16th, 2024
Enable the AD Recycle Bin if it is not already enabled
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target [your forest]
Create a Global Security Group e.g. “Restore_Objects”
Add the PSP Service Account to this Group
Run the following commands (replacing “Restore_Objects” with the group name you created)
dsacls "dc=yourdomain,dc=local" /g "Restore_Objects:ca;Reanimate Tombstones"
dsacls "CN=Deleted Objects,dc=yourdomain,dc=local" /takeownership
dsacls "CN=Deleted Objects,dc=yourdomain,dc=local" /g "Restore_Objects:LCRP"
dsacls "dc=yourdomain,dc=local" /I:T /g "Restore_Objects:WPCC"