This utility allows you to enable incremental accounts cache refresh support for a specific domain when the domain access account, such as the access account, is not an administrator. If the domain access account does not have read permissions on the Deleted Objects container in the domain, DRA cannot perform an incremental accounts cache refresh.
You can use this utility to perform the following tasks:
Verify that the specified user account or group has read permissions on the Deleted Objects container in the specified domain
Delegate or remove read permissions to a specified user account or group
Delegate or remove the Synchronize directory service data user right to a user account
Display security settings for the Deleted Objects container
By default, you can run the Deleted Objects Utility from the Program Files (x86)\NetIQ\DRA folder on your Administration server. You can install and run the Deleted Objects Utility on a computer that is not an Administration server. To install this utility, choose custom installation in the setup program. For more information about performing a custom installation, see the Installation Guide.
To use this utility, you must have the following permissions:
|
If you want to … |
You need this permission … |
|
Verify account permissions |
Read Permissions access to the Deleted Objects container |
|
Delegate read permissions on the Deleted Objects container |
Administrator permissions in the domain where the Deleted Objects container is located |
|
Delegate the Synchronize directory service data user right |
Administrator permissions in the domain where the Deleted Objects container is located |
|
Remove previously delegated permissions |
Administrator permissions in the domain where the Deleted Objects container is located |
|
Display security settings for the Deleted Objects container |
Read Permissions access to the Deleted Objects container |
DRADELOBJSUTIL /DOMAIN: DOMAINNAME [/DC: COMPUTERNAME ] {/DELEGATE: ACCOUNTNAME | /VERIFY: ACCOUNTNAME | /REMOVE: ACCOUNTNAME | /DISPLAY [/RIGHT]}
You can specify the following options:
|
/DOMAIN: domain |
Specifies the NETBIOS or DNS name of the domain where the Deleted Objects container is located. |
|
/SERVER: computername |
Specifies the name or IP address of the domain controller for the specified domain. |
|
/DELEGATE: accountname |
Delegates permissions to the specified user account or group. |
|
/REMOVE: accountname |
Removes permissions previously delegated to the specified user account or group |
|
/VERIFY: accountname |
Verifies permissions of the specified user account or group. |
|
/DISPLAY |
Displays security settings for the Deleted Objects container in the specified domain |
|
/RIGHT |
Ensures the specified user account or group has the Synchronize directory service data user right. You can use this option to delegate or verify this right. The Synchronize directory service data user right allows the account to read all objects and properties in the Active Directory. |
NOTE:
If the name of the user account or group you want to specify contains a space, enclose the account name in quotation marks. For example, if you want to specify the Houston IT group, type "Houston IT".
When specifying a group, use the pre-Windows 2000 name for that group.
The following examples demonstrate sample commands for common scenarios.
To verify that the MYCOMPANY\JSmith user account has read permissions on the Deleted Objects container in the hou.mycompany.com domain, enter:
DRADELOBJSUTIL /DOMAIN:HOU.MYCOMPANY.COM /VERIFY:MYCOMPANY\JSMITH
To delegate read permissions on the Deleted Objects container in the MYCOMPANY domain to the MYCOMPANY\DraAdmins group, enter:
DRADELOBJSUTIL /DOMAIN:MYCOMPANY /DELEGATE:MYCOMPANY\DRAADMINS
To delegate read permissions on the Deleted Objects container and the Synchronize directory service data user right in the MYCOMPANY domain to the MYCOMPANY\JSmith user account, enter:
DRADELOBJSUTIL /DOMAIN:MYCOMPANY /DELEGATE:MYCOMPANY\JSMITH /RIGHT
To display security settings for the Deleted Objects container in the hou.mycompany.com domain using the HQDC domain controller, enter:
DRADELOBJSUTIL /DOMAIN:HOU.MYCOMPANY.COM /DC:HQDC /DISPLAY
To remove read permissions on the Deleted Objects container in the MYCOMPANY domain from the MYCOMPANY\DraAdmins group, enter:
DRADELOBJSUTIL /DOMAIN:MYCOMPANY /REMOVE:MYCOMPANY\DRAADMINS