Forum Discussion

Donnal_Spence's avatar
12 years ago

Archive Permission

I need to find permissions that where added to an archive via the EV management console. I have over 20k archives so using permissionbrowser.exe is not an option. Anyone have a utility or sql script that can help me out?

  • Hi Donnal,

    Please try following SQL Script : 

    Use EnterpriseVaultDirectory

    Select AA.ArchiveName,  RT.VaultEntryId AS ArchiveID, ac.ACEType as PermissionType, TT.SID from Archive AA

    Inner join ACE AC

    on aa.RootIdentity = ac.RootIdentity

    Inner join Trustee TT

    ON  TT.TrusteeIdentity = AC.TrusteeIdentity

    INNER JOIN Root RT

    ON RT.RootIdentity = AA.RootIdentity

     

    ---Archive those don't have permission would not come in this list. PermissionType '0' mean archive have only Automactic permission, 1 mean only manual permssion via VAC (in case of shared/fileserver/PF), 2 mean it has combination of automatiac/manual permission.

    --It will also not give granular information such permission level such read/write/delete or Deny/allow.

    --These SID can be taken in excel sheet and You may need to run other powershell/AD script for user/group with associated SID then need to compare (need to do some research in google to findout any easy way to get SID with user/group)

     

  • Hello Donnal,

    Unfortunately, the archive permissions are encrypted in the Enterprise Vault Directory database in binary format. Even though if you can read the permissions using a SQL query, you won't be able to determine what user has permissions over the archive. There is another thread where this issue was discussed befoire, I'll try to find out the link.

  • Here is the link

    https://www-secure.symantec.com/connect/forums/sql-query-6

    I hope this helps.

  • Hi Donnal,

    Please try following SQL Script : 

    Use EnterpriseVaultDirectory

    Select AA.ArchiveName,  RT.VaultEntryId AS ArchiveID, ac.ACEType as PermissionType, TT.SID from Archive AA

    Inner join ACE AC

    on aa.RootIdentity = ac.RootIdentity

    Inner join Trustee TT

    ON  TT.TrusteeIdentity = AC.TrusteeIdentity

    INNER JOIN Root RT

    ON RT.RootIdentity = AA.RootIdentity

     

    ---Archive those don't have permission would not come in this list. PermissionType '0' mean archive have only Automactic permission, 1 mean only manual permssion via VAC (in case of shared/fileserver/PF), 2 mean it has combination of automatiac/manual permission.

    --It will also not give granular information such permission level such read/write/delete or Deny/allow.

    --These SID can be taken in excel sheet and You may need to run other powershell/AD script for user/group with associated SID then need to compare (need to do some research in google to findout any easy way to get SID with user/group)

     

  • Is that the same post from this link?

    https://www-secure.symantec.com/connect/forums/need-some-script-or-way-extract-list-users-each-vaults

  • Hi Donnal,

    Have you run the script. If you face issue , please let me know.

     

  • Hi Donnal,

    Have you got the required result.

    Please let us know.

     

  • Yes with this query and pulling all SID's from AD I was able to get the information I needed. Thanks for your help with this. 

  • Hi Donnal,

    Thanks for your reply.

    Could you mark as solution for the comment which help you to solve your issue.