Forum Discussion

Carmila_Fresco's avatar
19 years ago

Automatically set permissions

How do you remove automatically set permissions?

I have 1 user wherein instead of just having that user listed in the permissions page, there are a lot more accounts/groups listed there. If I try to delete the other accounts/groups, it tells me that the permissions cannot be removed as it has automatically set permissions associated with it.

This is on EV v6sp1.

Thanks,
Carmila
  • Can you check the Inherited Permissions in the advanced tab of the Exchange Policy for mailboxes?

    If that is set to Off, check the registry for this reg key?

    1.On the Archiving Service computer, start the registry editor and navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\KVS\Enterprise Vault\Agents

    2.Create a new DWORD entry called IncludeInheritedRights a value of 1.

    3.Restart the Archiving Service.

    The possible values for IncludeInheritedRights are:

    �0 to exclude inherited permissions

    �1 to include inherited permissions

7 Replies

  • If you go into Active Directory Users and Computers, in the properties of that user account and select Exchange Advanced/Mailbox Rights, you will see accounts with permissions to that user's mailbox.

    The greyed out checkboxes are permissions that were inherited from above.
    Enterprise Vault does not sync those permissions.
    The white check boxes that are NOT greyed out are explicitly set perms on that user's mailbox.

    Those are the perms that Enteprise Vault Auto Syncs to the Archive Permissions tab.

    Usually, most mailboxes just have SELF explicitly set, so only the user account appears in the Perms tab of the Archive.

    In the case of the user with multiple accounts listed in the Archive Perms tab, check to see if those accounts listed have been issued Explicitly Set Perms in Mailbox Rights for that user.
  • The only permissions that were explicitly set are for the user and self. Everything else is inherited however, I see those permissions in the user's vault archive.

    Any other ideas?

    Thanks,
    Carmila
  • Can you check the Inherited Permissions in the advanced tab of the Exchange Policy for mailboxes?

    If that is set to Off, check the registry for this reg key?

    1.On the Archiving Service computer, start the registry editor and navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\KVS\Enterprise Vault\Agents

    2.Create a new DWORD entry called IncludeInheritedRights a value of 1.

    3.Restart the Archiving Service.

    The possible values for IncludeInheritedRights are:

    �0 to exclude inherited permissions

    �1 to include inherited permissions
  • It's off.

    For some weird reason, this has happened to only 1 user so far.

    I guess I'll have to set IncludeInheritedRights to 0 then since I don't want inherited permissions.

    Thanks,
    Carmila
  • You will not need to set the registry key if it is set to off. I just wanted you to check to see if it was there, as it could have overridden the policy setting.

    I would recommend you zap the permissions and then re-synch.

    There is info on this in the admin help under the Policy Manager section.

    To zap use evpm script like this one:


    DirectoryComputerName = Vaultserverthathostsdirectoryservice
    Sitename = sitenamefromadminconsole


    DistinguishedName = /o=organization/ou=mailboxou/cn=Recipients/cn=mailboxcname


    ArchiveName = archiveid of affected user. This is availible on the property page of the archive
    Zap = true
  • Just to updatethe content on this one, the IncludeInheritedRights had been moved out of registry and into the VAC under the Archiving General Settings with the setting Inherited Permissions. When it's on the vault will inherit the permisions from Exchange and when it's off they won't.

    The other setting of relevence is Synchronize Folder Permissions which controls if the delegated rights set within Outlook are also synchronised, normally set to off but beware if you do set this, you might find that lots of users have set up delegated rights in the past and forgotten about them, which could mean some users suddenly gain access to vaults they wouldn't expect to. Obviously this depends upon your environment but I'd say use this one with care.

    Glenn