Skip to main content
Kofax

How to verify if the EQModifyDeletedContainerSecurity was successfully executed?

Question:

With Equitrac Express/Office with ADS (Active Directory Synchronization) configured to also sync deleted accounts, how to verify if the EQModifyDeletedContainerSecurity was successfully executed?

Answer:

In Equitrac Express/Office, if our customer would like to synchronize deleted accounts between AD and Equitrac through ADS, the EQModifyDeletedContainerSecurity have to be executed to grant access to the service account to the "deleted objects" AD container.

EQModifyDeletedContainerSecurity with option -p would display current permissions on the container, using the account SID to identify the account and its permissions.

To obtain the service account SID use the following command (in this example we are using eqservices):

C:\>wmic useraccount get name,sid | find "eqservices"

eqservices        S-1-5-21-1564639199-1733416795-2806472794-1121

To verify what permissions eqservices has over the "deleted objects" AD container (in this case Domain Controller IP is 10.10.10.13):

C:\Program Files\Equitrac\Express\Tools>EQModifyDeletedContainerSecurity.exe -s 10.10.10.13 -p

        Control bits: 0x8c14

                SE_DACL_AUTO_INHERITED

                SE_DACL_PRESENT

                SE_SACL_AUTO_INHERITED

                SE_SACL_PRESENT

                SE_SELF_RELATIVE

        Revision:     1

        Owner:        S-1-5-32-544

        Group:        S-1-5-18

        DACL:

                Revision:     0x2

                Bytes in use: 88

                Bytes free:   0

                ACE[0]:

                        AceType:  0x0 (ACCESS_ALLOWED_ACE_TYPE)

                        AceFlags: 0x0

                        AceSize:  36

                        Mask:     0x14

                                ACTRL_DS_READ_PROP

                                ACTRL_DS_LIST

                        Mask:     0x14

                        SID:      S-1-5-21-1564639199-1733416795-2806472794-1121

<.. output has been truncated on purpose ..>

In this case we can see that the account eqservices has READ and LIST permissions over the "deleted objects" AD containers.