Working with a Windows 2016 server, how do I query its recycle bin through
LDAP? The bin is active and, according to the AD admin center, currently
contains two OUs I removed yesterday. Through wellKnownObjects, AD gives the
bin location as cn=Deleted Objects,dc=example,dc=com.
However, when I query that DN for objectClass=*, neither entry is returned:
# extended LDIF
#
# LDAPv3
# base <CN=Deleted Objects,DC=example,DC=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#
# search result
search: 5
result: 32 No such object
matchedDN: CN=Deleted Objects,DC=example,DC=com
text: 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best
match of:
'CN=Deleted Objects,DC=example,DC=com'
# numResponses: 1
What’s does the server actually need?
Edit: Researching the issue a bit further, MS seems to have a
specific LDAP control LDAP_SERVER_SHOW_DELETED_OID
for exactly this use case. However I was not able to make deleted
objects show by adding -e 1.2.840.113556.1.4.417 to the
ldapsearch invocation.
Best Answer
The answer is that AD applies some sort of access control to the recycling bin. Coming with an Admin ticket, it suddenly works:
Only root may access the recycling bin, who’d have thought?
The privileges governing various access methods to the recycle bin are documented in the section “Delegating Active Directory Recycle Bin operations” of this document: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392260%28v%3dws.10%29