This article explains how to grant a service account access to the Deleted Objects container in Active Directory, enabling ADManager Plus to generate accurate reports on recently deleted users or objects. Without this access, the service account cannot retrieve soft-deleted (i.e., tombstoned) objects, which can limit visibility in compliance reports, audit reviews, or recovery tracking.
Before proceeding, ensure the following:
You have domain admin or enterprise admin privileges.
The AD Recycle Bin is enabled. (Note: This is optional, but it enhances the visibility of deleted objects.)
You have access to the Active Directory Users and Computers (ADUC) console or the ADSI Edit console.
Press Win + R, type adsiedit.msc, and press Enter to open ADSI Edit.
In the ADSI Edit console, right-click ADSI Edit and select Connect to.
Under Connection Point, choose Select a well-known Naming Context, then select Configuration. Click OK.
In the left pane, expand the tree and navigate to:
Configuration > <your domain> > CN=Configuration,DC=yourdomain,DC=com
Right-click the Deleted Objects container and select Properties.
In the Properties window, go to the Security tab.
Click Add, enter the name of the service account, and click OK.
With the service account selected, check the following permissions:
Read
List contents
Click Advanced, then Add, and select the same service account.
Set Applies to as This object only.
Click Show advanced permissions, then check Read Deleted Objects.
Click OK on all windows to apply and save the changes.
To verify that the service account can view deleted objects:
Log in to ADManager Plus as admin and navigate to Reports > User Reports > General Reports > Recently Deleted users.
If deleted users are displayed, the service account has been granted the correct access.
Enable Advanced Features in ADUC to view the Deleted Objects container directly.
Limit the permission scope to read-only to prevent accidental modification of deleted items.
Maintain a log of permission changes for auditing purposes.
Use a Group Policy to restrict interactive logon access for service accounts.