Description

When reviewing the Custodian Manager Customer in the EVBAAdmin administration website for Enterprise Vault (EV) Discovery Accelerator (DA), one of the following messages may be seen in the Info section of the Current Status pane:

Message 1:

"Customer Database created. The synchronization account requires List Content and Read Property permissions on the Deleted Objects container in Active Directory. For instructions on how to set the permissions, see the "Installing Discovery Accelerator" chapter of the Installation Guide"

Message 2:

"Customer Database updated to version X.
Before upgrade, the synchronization account did not have Read Property and List Content permissions on the Deleted Objects container in Active Directory. Assign these permissions to ensure that Custodian Manager synchronizes correctly with Active Directory. For instructions on how to set the permissions, see the "Installing Discovery Accelerator" chapter of the Installation Guide."

Per these informational messages, the Synchronization Account used by Custodian Manger requires the List Content and Read Property permissions on the Active Directory Deleted Objects container in order to effectively determine when users are deleted so they can be removed and deactivated from Custodian Manager synchronization. If the Synchronization Account does have these permissions, these informational messages may not be removed and may remain visible as a reminder.

To verify the listed Synchronization Account has the required permissions, simply view the current permissions on the Deleted Objects container:

1. Run the following command in an administrative command prompt on the domain controller where deleted_objects_dn is the distinguished name of the Deleted Objects container (to open an administrative command prompt, click Start, right-click Command Prompt, and then click Run as administrator):

dsacls deleted_objects_dn

For example, if your domain is MyDomain.com, the command would be:

dsacls "CN=Deleted Objects,DC=MyDomain,DC=com"

2. Look for the name of the Synchronization Account in the results. It should be listed with the LIST CONTENTS and READ PROPERTY permissions.

If the permissions are listed, can further verify the Synchronization Account can view the contents of the Deleted Objects container. Here are 2 ways to do this.

Method 1 - ldp.exe

1. Log on to the domain controller as the Synchronization Account. If the account does not have rights to log on to the domain controller, log on as a domain administrator.

2. Open File Explorer and navigate to %WINDIR%\system32.

3. If logged in as the Synchronization Account, double-click ldp.exe. If not logged in as the Synchronization Account, shift-right-click ldp.exe | Run as different user | enter the Synchronization Account's credentials | OK.

4. Go to Connection | Connect | enter the domain controller's information | OK.

5. Go to Connection | Bind | Bind as currently logged on user (or 'Bind with credentials' using the Synchronization Account's credentials) | OK. Verify 'Authenticated as' lists the Synchronization Account in the information pane.

6. Go to Options | Controls | Select 'Return deleted objects' under the Load Predefined drop-down menu | OK.

7. Go to View | Tree | enter the domain information in the BaseDN field in the form DC=domain,DC=root | OK. For example, if your domain is MyDomain.com, the BaseDN would be: DC=MyDomain,DC=com.

8. Expand the domain root | Double-click on the Deleted Objects container (CN=Deleted Objects, DC=. . .) | Double-click the deleted objects as needed to view any properties.

Method 2 - PowerShell

1. Log on to the domain controller as the Synchronization Account. If the account does not have rights to log on to the domain controller, log on as a domain administrator.

2. If logged in as the Synchronization Account, open PowerShell. If not logged in as the Synchronization Account, go to Start | type PowerShell | right-click the PowerShell (or PowerShell ISE) icon | Run as a different user | enter the Synchronization Account's credentials | OK.

3. The following PowerShell commands will display the Deleted Objects information (edit as indicated):

# To list all deleted users
Get-ADObject -Filter {isDeleted -eq $true} -IncludeDeletedObjects -Properties *
 
# To query a specific deleted user by its username
Get-ADObject -Filter {SamAccountName -eq ""} -IncludeDeletedObjects -Properties *
 
# To query a specific deleted user by its SID
Get-ADObject -Filter {objectSid -eq "S-N-N-NN-NNNNNNNNN-NNNNNNNNNN-NNNNNNNNNN-NNNN"} -IncludeDeletedObjects -Properties *