By default, only admins can search for tombstones. The reason is that
the deleted objects container has very strict default security, which
only gives Admins the LIST_CONTENTS permission that is required on the
container to read any child.
It is possible to update these permissions, though it's quite
difficult. The DO container is owned by SYSTEM. You have to take
ownership of the container. This will give you an implicit WRITE_DAC
permission. Then you can update the DACL to give users LIST_CONTENTS.
Then give ownership back to SYSTEM.
Note that assigning inheritable permissions above would not work,
because DO container is protected from inheritance. Also, remember
that inheritable permissions don't propagate to tombstones. Basically,
a tombstone retains the security descriptor that was stamped on it
You have to enable "return deleted objects" option, because the DO
container is deleted itself.
Over ldap, you have to pass LDAP_SERVER_SHOW_DELETED_OID control with
your mod operation.
If you want to update the ntSecurityDescriptor with the new
ldap) for the DO , you have to update the SD on the DO container. Make
an SD value with owner field only. Pass sdflags control with the value
of 1 (OWNER_SECURITY_INFORMATION). Group does not really matter.
You need to pass the "sd flags" control, indicating you are only
updating owner/group. Otherwise, it thinks you are updating DACL and
SACL, and you don't have permission to do this. But if you only tell
it that you update owner only, then you will be allowed to do this
because you have SE_TAKE_OWNERSHIP privilege.
On Mon, 16 Jun 2003 18:51:07 +0200, "Srinivasulu"
>m able to see the deleted object