Forum Discussion

Donnal_Spence's avatar
Donnal_Spence
Level 4
11 years ago

Archive Permission

I need to find permissions that where added to an archive via the EV management console. I have over 20k archives so using permissionbrowser.exe is not an option. Anyone have a utility or sql script that can help me out?

Enterprise Vault
Information Governance
Windows Server (2003-2008)
  • EV_Ajay's avatar
    EV_Ajay
    11 years ago

    Hi Donnal,

    Please try following SQL Script : 

    Use EnterpriseVaultDirectory

    Select AA.ArchiveName,  RT.VaultEntryId AS ArchiveID, ac.ACEType as PermissionType, TT.SID from Archive AA

    Inner join ACE AC

    on aa.RootIdentity = ac.RootIdentity

    Inner join Trustee TT

    ON  TT.TrusteeIdentity = AC.TrusteeIdentity

    INNER JOIN Root RT

    ON RT.RootIdentity = AA.RootIdentity

     

    ---Archive those don't have permission would not come in this list. PermissionType '0' mean archive have only Automactic permission, 1 mean only manual permssion via VAC (in case of shared/fileserver/PF), 2 mean it has combination of automatiac/manual permission.

    --It will also not give granular information such permission level such read/write/delete or Deny/allow.

    --These SID can be taken in excel sheet and You may need to run other powershell/AD script for user/group with associated SID then need to compare (need to do some research in google to findout any easy way to get SID with user/group)

     

9 Replies

Sort By
  • GabeV's avatar
    GabeV
    Level 6
    11 years ago

    Hello Donnal,

    Unfortunately, the archive permissions are encrypted in the Enterprise Vault Directory database in binary format. Even though if you can read the permissions using a SQL query, you won't be able to determine what user has permissions over the archive. There is another thread where this issue was discussed befoire, I'll try to find out the link.

  • GabeV's avatar
    GabeV
    Level 6
    11 years ago

    Here is the link

    https://www-secure.symantec.com/connect/forums/sql-query-6

    I hope this helps.

  • EV_Ajay's avatar
    EV_Ajay
    Level 6
    11 years ago

    Hi Donnal,

    Please try following SQL Script : 

    Use EnterpriseVaultDirectory

    Select AA.ArchiveName,  RT.VaultEntryId AS ArchiveID, ac.ACEType as PermissionType, TT.SID from Archive AA

    Inner join ACE AC

    on aa.RootIdentity = ac.RootIdentity

    Inner join Trustee TT

    ON  TT.TrusteeIdentity = AC.TrusteeIdentity

    INNER JOIN Root RT

    ON RT.RootIdentity = AA.RootIdentity

     

    ---Archive those don't have permission would not come in this list. PermissionType '0' mean archive have only Automactic permission, 1 mean only manual permssion via VAC (in case of shared/fileserver/PF), 2 mean it has combination of automatiac/manual permission.

    --It will also not give granular information such permission level such read/write/delete or Deny/allow.

    --These SID can be taken in excel sheet and You may need to run other powershell/AD script for user/group with associated SID then need to compare (need to do some research in google to findout any easy way to get SID with user/group)

     

  • GabeV's avatar
    GabeV
    Level 6
    11 years ago

    Is that the same post from this link?

    https://www-secure.symantec.com/connect/forums/need-some-script-or-way-extract-list-users-each-vaults

  • EV_Ajay's avatar
    EV_Ajay
    Level 6
    11 years ago

    Hi Donnal,

    Have you run the script. If you face issue , please let me know.

     

  • EV_Ajay's avatar
    EV_Ajay
    Level 6
    11 years ago

    Hi Donnal,

    Have you got the required result.

    Please let us know.

     

  • Donnal_Spence's avatar
    Donnal_Spence
    Level 4
    11 years ago

    Yes with this query and pulling all SID's from AD I was able to get the information I needed. Thanks for your help with this. 

  • EV_Ajay's avatar
    EV_Ajay
    Level 6
    11 years ago

    Hi Donnal,

    Thanks for your reply.

    Could you mark as solution for the comment which help you to solve your issue.