Grant Read Access to Active Directory Deleted Objects

System Center Service Manager requires that its service account have read rights to the Deleted Objects container in Active Directory. This allows the SCSM<->AD connector to delete items out of SCSM as they are deleted from Active Directory. The problem is, by default not even domain administrators can see the container!  There is a way to do it, though, and it is relatively easy.

  • Login with a domain administrator account
  • Run an elevated command prompt (run as administrator)
  • Run these two commands in your command prompt window:
    • dsacls “CN=Deleted Objects,DC=dcps,DC=duval,DC=us” /takeownership
    • dsacls “CN=Deleted Objects,DC=dcps,DC=duval,DC=us” /G DCPS\scsmsvc:LCRP

 

Comments are closed.