Environment
NetIQ Directory & Resource Administrator 8.5.x
NetIQ Directory & Resource Administrator 8.6.xNetIQ Directory & Resource Administrator 8.7.x
Situation
What permissions are being set in AD by running DraDelObjsUtil.exe and DraRecycleBinUtil.exe?
Resolution
The DRA Deleted Objects utility will grant the specified user or group the following ACLS on the Active Directory Deleted Objects Container:
Special Access
Read Permissions
List Contents
Read Property
Special Access
Read Permissions
List Contents
Read Property
Cause
When DRA runs an Incremental Accounts cache, it must be able to determine if an AD object contained within a Managed domain has been deleted. DRA will query the Active Directory Deleted Objects container to list all objects. By default only the System account of each AD Domain has access into this container. DRA provides the Deleted Objects Utility as a method to grant access into the container.
Additional Information
Note: Before being able to run the DRA Deleted Objects utility, the user running the utility must already have permissions to the Deleted Objects Container within AD. The utility must be run locally on any DRA Server, and for every managed domain. By default only the Owner of the container and the Domain System Account have rights to modify permissions. The default configuration of Active Directory configures the Domain Admins group as the owner.
The DRA Deleted Objects Utility would only need to be run if the Domain Access account does not already have access into the AD Deleted Objects utility.
The DRA Deleted Objects Utility would only need to be run if the Domain Access account does not already have access into the AD Deleted Objects utility.