How to verify if the EQModifyDeletedContainerSecurity was successfully executed?
Question:
With Equitrac Express/Office with ADS (Active Directory Synchronization) configured to also sync deleted accounts, how to verify if the EQModifyDeletedContainerSecurity was successfully executed?
Answer:
In Equitrac Express/Office, if our customer would like to synchronize deleted accounts between AD and Equitrac through ADS, the EQModifyDeletedContainerSecurity have to be executed to grant access to the service account to the "deleted objects" AD container.
EQModifyDeletedContainerSecurity with option -p would display current permissions on the container, using the account SID to identify the account and its permissions.
To obtain the service account SID use the following command (in this example we are using eqservices):
C:\>wmic useraccount get name,sid | find "eqservices"
eqservices S-1-5-21-1564639199-1733416795-2806472794-1121
To verify what permissions eqservices has over the "deleted objects" AD container (in this case Domain Controller IP is 10.10.10.13):
C:\Program Files\Equitrac\Express\Tools>EQModifyDeletedContainerSecurity.exe -s 10.10.10.13 -p
Control bits: 0x8c14
SE_DACL_AUTO_INHERITED
SE_DACL_PRESENT
SE_SACL_AUTO_INHERITED
SE_SACL_PRESENT
SE_SELF_RELATIVE
Revision: 1
Owner: S-1-5-32-544
Group: S-1-5-18
DACL:
Revision: 0x2
Bytes in use: 88
Bytes free: 0
ACE[0]:
AceType: 0x0 (ACCESS_ALLOWED_ACE_TYPE)
AceFlags: 0x0
AceSize: 36
Mask: 0x14
ACTRL_DS_READ_PROP
ACTRL_DS_LIST
Mask: 0x14
SID: S-1-5-21-1564639199-1733416795-2806472794-1121
<.. output has been truncated on purpose ..>
In this case we can see that the account eqservices has READ and LIST permissions over the "deleted objects" AD containers.