How do I grant a service account permission to view deleted objects in Active Directory?
Objective
This article explains how to grant a service account access to the Deleted Objects container in Active Directory, enabling ADManager Plus to generate accurate reports on recently deleted users or objects. Without this access, the service account cannot retrieve soft-deleted (i.e., tombstoned) objects, which can limit visibility in compliance reports, audit reviews, or recovery tracking.
Prerequisites
Before proceeding, ensure the following:
You have domain admin or enterprise admin privileges.
The AD Recycle Bin is enabled. (Note: This is optional, but it enhances the visibility of deleted objects.)
You have access to the Active Directory Users and Computers (ADUC) console or the ADSI Edit console.
Steps to follow
Press Win + R, type adsiedit.msc, and press Enter to open ADSI Edit.
In the ADSI Edit console, right-click ADSI Edit and select Connect to.
Under Connection Point, choose Select a well-known Naming Context, then select Configuration. Click OK.
In the left pane, expand the tree and navigate to:
Configuration > <your domain> > CN=Configuration,DC=yourdomain,DC=com
Right-click the Deleted Objects container and select Properties.
In the Properties window, go to the Security tab.
Click Add, enter the name of the service account, and click OK.
With the service account selected, check the following permissions:
Read
List contents
Click Advanced, then Add, and select the same service account.
Set Applies to as This object only.
Click Show advanced permissions, then check Read Deleted Objects.
Click OK on all windows to apply and save the changes.
Validation and confirmation
To verify that the service account can view deleted objects:
Log in to ADManager Plus as admin and navigate to Reports > User Reports > General Reports > Recently Deleted users.
If deleted users are displayed, the service account has been granted the correct access.
Tips
Enable Advanced Features in ADUC to view the Deleted Objects container directly.
Limit the permission scope to read-only to prevent accidental modification of deleted items.
Maintain a log of permission changes for auditing purposes.
Use a Group Policy to restrict interactive logon access for service accounts.
New to ADSelfService Plus?
Related Articles
Why are reports generated in ADManager Plus listing objects that no longer exist in Active Directory?
Issue description ADManager Plus reports may display user accounts, computers, or other Active Directory objects that no longer exist. This affects the accuracy of report data and can hinder functions that rely on up-to-date AD information, such as ...How can I track or audit changes made to Active Directory objects using ADManager Plus?
Objective This article explains how to audit changes made to Active Directory (AD) objects using ADManager Plus. Auditing enables administrators to track critical actions such as user modifications, group membership changes, password resets, and ...How to set the retention period for deleted objects for quick recovery using ADManager Plus
Objective Learn how to configure the retention period for deleted Active Directory objects in Quick Recovery. This setting defines how long deleted users, groups, and other objects can be restored without requiring a full backup recovery. Adjusting ...Using a Managed Service Account (MSA or gMSA) in ADManager Plus
A Managed Service Account (MSA) or group Manage Service Account (gMSA) is a more secure and scalable service account with the characteristics of a computer object. The passwords of MSAs/gMSAs are random and are automatically updated by the Windows ...How to configure UKG Pro Active Directory integration in ADManager Plus
Objective This article explains how to set up a seamless UKG Active Directory integration using ManageEngine ADManager Plus to automate user identity life cycle management. By connecting UKG Pro with Active Directory, IT teams can eliminate manual ...