Skip to main content

How to verify if the EQModifyDeletedContainerSecurity was successfully executed?

Article # 3015554 - Page views: 216


With Equitrac Express/Office with ADS (Active Directory Synchronization) configured to also sync deleted accounts, how to verify if the EQModifyDeletedContainerSecurity was successfully executed?


In Equitrac Express/Office, if our customer would like to synchronize deleted accounts between AD and Equitrac through ADS, the EQModifyDeletedContainerSecurity have to be executed to grant access to the service account to the "deleted objects" AD container.

EQModifyDeletedContainerSecurity with option -p would display current permissions on the container, using the account SID to identify the account and its permissions.

To obtain the service account SID use the following command (in this example we are using eqservices):

C:\>wmic useraccount get name,sid | find "eqservices"

eqservices        S-1-5-21-1564639199-1733416795-2806472794-1121

To verify what permissions eqservices has over the "deleted objects" AD container (in this case Domain Controller IP is

C:\Program Files\Equitrac\Express\Tools>EQModifyDeletedContainerSecurity.exe -s -p

        Control bits: 0x8c14






        Revision:     1

        Owner:        S-1-5-32-544

        Group:        S-1-5-18


                Revision:     0x2

                Bytes in use: 88

                Bytes free:   0


                        AceType:  0x0 (ACCESS_ALLOWED_ACE_TYPE)

                        AceFlags: 0x0

                        AceSize:  36

                        Mask:     0x14



                        Mask:     0x14

                        SID:      S-1-5-21-1564639199-1733416795-2806472794-1121

<.. output has been truncated on purpose ..>

In this case we can see that the account eqservices has READ and LIST permissions over the "deleted objects" AD containers.