Hi
I checked this doc : https://support.microsoft.com/en-us/help/892806/how-to-let-non-administrators-view-the-active-directory-deleted-object and it did allow the group I want to view Deleted Objects. However when they try to actually restore a user/computer account they get an error reading "Insufficient access rights to perform the operation.
When I checked the output from : dsacls "CN=Deleted Objects,DC=*,DC=*,DC=*" /g Domain\Group:LCRP I can see that the group I selected has the same rights as the default Domain\Administrators group has so I don't think the issue is here, I even went one step further and tried running the command : dsacls "CN=Deleted Objects,DC=*,DC=*,DC=*" /g Domain\Group:GA which grants full control of the Deleted Objects container and still they receive the same error.
So I'm thinking it's a different permission they are missing. I tried restoring to several different locations in AD including some OUs where this group has full control and that didn't help either. I should add that me as a domain admin can do this with
no issues.
Anyone have an idea what is missing?