In the 3.6.1 AD driver docs, there is now a section on changing
permissions on Deleted Objects.

It is a straight rip from the MS doc:

The Novell doc link is:

Section C.0

So, I have never seen that before, and never had to do it.

We are trying with to do this on a 2003 domain, and we cannot find the
CN=Deleted Objects,DC=Doman,DC=com object even when logged in as an
admin who should have rights.

Also, the dsacls.exe we are using does not have the /takeownership flag

Whatzzup with all this? Anyone know?

Is it necessary? When? Why?