I am trying to update the ACL permissions of the 'Deleted Objects' container in AD programmatically however I am unable to validate the current permissions. Normally I would use Get-ACL
on the Distinguished Name however this command returns "Cannot find path {DN} because it does not exist"
I am running this as a Domain Admin and I can confirm the container does exist with Get-ADObject -SearchBase ((Get-ADDomain).DeletedObjectsContainer) -Filter * -IncludeDeletedObjects -SearchScope Base
The issue seems to be that the Deleted Objects container itself is marked as isDeleted which prevents Get-ACL from reading it.
Using dsacls
as outlined here does work if I run it as system through psexec though the output is not ideal as I have to process it before I can validate against it. Is there another way to query this information with PowerShell that will return cleaner output?
https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/non-administrators-view-deleted-object-container
You're right, you do have to treat it specially because it's "deleted".
You were very close. You can return the nTSecurityDescriptor property of the AD Object which will get you what you want.
$delObjContainer = Get-ADObject -Filter 'objectClass -eq "container"' -SearchBase (Get-ADDomain).DeletedObjectsContainer -Properties nTSecurityDescriptor -IncludeDeletedObjects -SearchScope base
$delObjContainer.nTSecurityDescriptor.Access
# ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, Delete, GenericWrite, WriteDacl, WriteOwner
# InheritanceType : None
# ObjectType : 00000000-0000-0000-0000-000000000000
# InheritedObjectType : 00000000-0000-0000-0000-000000000000
# ObjectFlags : None
# AccessControlType : Allow
# IdentityReference : NT AUTHORITY\SYSTEM
# IsInherited : False
# InheritanceFlags : None
# PropagationFlags : None