Skip to main content
Kofax

How to remove access to the "deleted objects" AD container using EQModifyDeletedContainerSecurity?

Question: With Equitrac Express/Office with ADS (Active Directory Synchronization) configured to also sync deleted accounts, how to remove access to the "deleted objects" AD container using EQModifyDeletedContainerSecurity if the service account starting the Equitrac services changes?

Answer:

Given the following scenario:

  • Equitrac Express/Office is configured to synchronize deleted accounts between AD and Equitrac through ADS
  • The EQModifyDeletedContainerSecurity was executed to grant access to the service account to the "deleted objects" AD container
  • A new service account is created and it is decided to remove the access permissions from the "old" service account (i.e. example "eqserv")

Follow the following steps:

Please note that EQModifyDeletedContainerSecurity with option -p will display current permissions on the container, using the account SID to identify the account and its permissions.

a-To obtain the service account SID use the following command (in this example we are using eqserv):

     C:\Program Files\Equitrac\Express\Tools>wmic useraccount get name,sid | find "eqserv"

     eqserv                S-1-5-21-3913481255-416801058-1574336354-1118

b-To verify what permissions "eqserv" has over the "deleted objects" AD container (in this case Domain Controller IP is 10.17.17.155), run the command below and seach for the "eqserv" SID number within the output, the access permission will be listed just above the SID:

     C:\Program Files\Equitrac\Express\Tools>EQModifyDeletedContainerSecurity.exe -s 10.17.17.155 -p

             Control bits: 0x8c14

                     SE_DACL_AUTO_INHERITED

                     SE_DACL_PRESENT

                     SE_SACL_AUTO_INHERITED

                     SE_SACL_PRESENT

                     SE_SELF_RELATIVE

             Revision:     1

             Owner:        S-1-5-32-544

             Group:        S-1-5-18

             DACL:

                     Revision:     0x2

                     Bytes in use: 88

                     Bytes free:   0

                     ACE[0]:

                             AceType:  0x0 (ACCESS_ALLOWED_ACE_TYPE)

                             AceFlags: 0x0

                             AceSize:  36

                             Mask:     0x14

                                     ACTRL_DS_READ_PROP

                                     ACTRL_DS_LIST

                             Mask:     0x14

                        SID:      S-1-5-21-3913481255-416801058-1574336354-1118

     ...

     ...

     <.. output has been truncated on purpose ..in this example we can see that the account "eqserv" has READ and LIST permissions over the "deleted objects" AD containers...>

c-To remove the permissions "eqserv" has over the "deleted objects" AD container run the command below:

     C:\Program Files\Equitrac\Express\Tools>EQModifyDeletedContainerSecurity.exe -s 10.17.17.155 -r -a eqserv

d-To verify that the access permissions over the "deleted objects" AD container has been removed from the "eqserv" account, run the command below:

     C:\Program Files\Equitrac\Express\Tools>EQModifyDeletedContainerSecurity.exe -s 10.17.17.155 -p

This time the "eqserv" SID number would not be listed.