}
}
- ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs, DSDB_SEARCH_SHOW_DELETED);
+ /*
+ * We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute.
+ * Also the result of this search not controlled by the client
+ * nor is the result exposed to the client.
+ */
+ ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs,
+ DSDB_FLAG_AS_SYSTEM | DSDB_SEARCH_SHOW_RECYCLED);
if (ret != LDB_SUCCESS) {
DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
return ret;