With Equitrac Express/Office with ADS (Active Directory Synchronization) configured to also sync deleted accounts, how to verify if the EQModifyDeletedContainerSecurity was successfully executed?
In Equitrac Express/Office, if our customer would like to synchronize deleted accounts between AD and Equitrac through ADS, the EQModifyDeletedContainerSecurity have to be executed to grant access to the service account to the "deleted objects" AD container.
EQModifyDeletedContainerSecurity with option -p would display current permissions on the container, using the account SID to identify the account and its permissions.
To obtain the service account SID use the following command (in this example we are using eqservices):
C:\>wmic useraccount get name,sid | find "eqservices"
To verify what permissions eqservices has over the "deleted objects" AD container (in this case Domain Controller IP is 10.10.10.13):
C:\Program Files\Equitrac\Express\Tools>EQModifyDeletedContainerSecurity.exe -s 10.10.10.13 -p
Control bits: 0x8c14
Bytes in use: 88
Bytes free: 0
AceType: 0x0 (ACCESS_ALLOWED_ACE_TYPE)
<.. output has been truncated on purpose ..>
In this case we can see that the account eqservices has READ and LIST permissions over the "deleted objects" AD containers.