How to remove access to the "deleted objects" AD container using EQModifyDeletedContainerSecurity?
Answer:
Given the following scenario:
- Equitrac Express/Office is configured to synchronize deleted accounts between AD and Equitrac through ADS
- The EQModifyDeletedContainerSecurity was executed to grant access to the service account to the "deleted objects" AD container
- A new service account is created and it is decided to remove the access permissions from the "old" service account (i.e. example "eqserv")
Follow the following steps:
Please note that EQModifyDeletedContainerSecurity with option -p will display current permissions on the container, using the account SID to identify the account and its permissions.
a-To obtain the service account SID use the following command (in this example we are using eqserv):
C:\Program Files\Equitrac\Express\Tools>wmic useraccount get name,sid | find "eqserv"
eqserv S-1-5-21-3913481255-416801058-1574336354-1118
b-To verify what permissions "eqserv" has over the "deleted objects" AD container (in this case Domain Controller IP is 10.17.17.155), run the command below and seach for the "eqserv" SID number within the output, the access permission will be listed just above the SID:
C:\Program Files\Equitrac\Express\Tools>EQModifyDeletedContainerSecurity.exe -s 10.17.17.155 -p
Control bits: 0x8c14
SE_DACL_AUTO_INHERITED
SE_DACL_PRESENT
SE_SACL_AUTO_INHERITED
SE_SACL_PRESENT
SE_SELF_RELATIVE
Revision: 1
Owner: S-1-5-32-544
Group: S-1-5-18
DACL:
Revision: 0x2
Bytes in use: 88
Bytes free: 0
ACE[0]:
AceType: 0x0 (ACCESS_ALLOWED_ACE_TYPE)
AceFlags: 0x0
AceSize: 36
Mask: 0x14
ACTRL_DS_READ_PROP
ACTRL_DS_LIST
Mask: 0x14
SID: S-1-5-21-3913481255-416801058-1574336354-1118
...
...
<.. output has been truncated on purpose ..in this example we can see that the account "eqserv" has READ and LIST permissions over the "deleted objects" AD containers...>
c-To remove the permissions "eqserv" has over the "deleted objects" AD container run the command below:
C:\Program Files\Equitrac\Express\Tools>EQModifyDeletedContainerSecurity.exe -s 10.17.17.155 -r -a eqserv
d-To verify that the access permissions over the "deleted objects" AD container has been removed from the "eqserv" account, run the command below:
C:\Program Files\Equitrac\Express\Tools>EQModifyDeletedContainerSecurity.exe -s 10.17.17.155 -p
This time the "eqserv" SID number would not be listed.