Directory Synchronization Access Permissions

EQModifyDeletedContainerSecurity.exe changes the administrative access permissions on the deleted objects container in a Windows Active Directory, so that Equitrac can access the objects during directory synchronizations.

By default, only Active Directory administrators have access permission. The Windows account running the Equitrac services need this access if you wish to synchronize deleted accounts between Active Directory and Equitrac. The account running the EQModifyDeletedContainerSecurity.exe command must be an administrator in the Active Directory domain.

See Importing Users with Active Directory Services for more information on configuring Active Directory Synchronization options.

Equitrac installs this utility on the accounting server in the Program Files\Nuance\Equitrac\Tools folder.

The command-line utility accepts commands in the following format:

EQModifyDeletedContainerSecurity.exe <-s server> [-p | (-r -un -pw) -a accountname]

Parameters enclosed in parentheses < > are mandatory; parameters within square brackets [ ] are optional.

Parameter Description
-s server Server name of the Active Directory domain controller.
-p Display current permissions on the container.
-r Remove access permissions for the specified accountname.
- a accountname Account to be granted access to the container. Access permission is removed if specified with the -r option.
-un username Optional Authentication Admin UserName Credentials.
-pw password Optional Authentication Admin Password Credentials.

You can add the credentials of a user who has rights to bind to the Active Directory database with the –un/-pw parameters when connecting to either a remote domain controller where there is a two-way trust between the CAS domain and the domain where the specified AD database exists, or when connecting to a domain where there is no trust setup. This can also be done with a local domain controller, however, this is typically not necessary.