We generally keep our hands off the customer's AD's and domain controllers as it's a liability for us to directly tell the customer what do change or make the changes ourselves. However, giving a user permission to read the deleted objects container is as follows:
- Open Active Directory Users and Computers:
- On a Windows Server machine or a computer with the Remote Server Administration Tools (RSAT) installed, open the Active Directory Users and Computers console.
- Enable Advanced Features:
- In the ADUC console, click on "View" in the menu, and ensure that "Advanced Features" is checked. This will enable additional features, including the Security tab.
- Navigate to Deleted Objects Container:
- Expand your domain in the console tree and navigate to the "View" menu. Choose "Advanced Features" if it's not already selected.
- Locate the "Deleted Objects" container. By default, it's not visible, but with "Advanced Features" enabled, you should be able to see it.
- Access the Properties of Deleted Objects Container:
- Right-click on the "Deleted Objects" container and select "Properties."
- Modify Security Settings:
- Go to the "Security" tab in the Properties window.
- Click on "Advanced" to access the advanced security settings.
- Add Domain Admins Group:
- Click on "Add" to add a new permission entry.
- In the "Enter the object names to select" field, type "Domain Admins" and click "Check Names" to verify the group.
- Click "OK" to add the group.
- Set Permissions:
- In the "Permission Entry" window, set the permissions for the Domain Admins group. For read access, you can grant "Read all properties" and "Read permissions."
- Click "OK" to apply the changes.
- Apply Changes:
- Back in the "Advanced Security Settings" window, ensure that the permissions are applied to "This object and all descendant objects."
- Click "OK" to close the advanced settings.
- Close Properties:
- Click "OK" on the Properties window to close it.