An account that had it's mailbox archived has been deleted. In the Enterprise Console the account shows up with the Unknown Account & SID. I have tried adding a system account with the permission to get to the vault but each time get a warning window stating Please enter an existing Windows Account Name. This, I assume is because I have left the deleted account SID with permissions, so I try to remove the account permissions and get the error, Account cannot be removed as it has automatically set permissions associated with it.Q. How do I specify a different account with permissions to this users Archive and then remove the old account SID from it?TIA,Paul

Change the Bill to Account for the Archive to something other than what it is, i.e. the Vault service account.Then you will be able to add permissions.

If you set a manual deny permission on the archive for that one user it will override the automatically set grant.

You can remove all auto permissions with an EVPM script but if the mailbox is no longer there then you cannot synchronize any permissions from there so you will have to manually assign permissions to the archive once you have removed them.http://support.veritas.com/docs/280196

HiThanks for the reply. This will certainly do what I require with one caveat, it looks as though this will do it at the vault level, the mbx itself is in a vault with several other user's archived mbx's . Is there any way of stripping out the automatically set permissions at the mailbox level?You have pointed me in the right direction and I have now picked up on the EVPM helpfile on our EV server. In one of the examples below, it shows that you can specify a DN. In short, can I target a single mailbox in a vault containing several and strip only it's permissions?Thanks again,PaulDIRECTORYCOMPUTERNAME = OURSERVERSITENAME = CC_Site1DISTINGUISHEDNAME = /O=ACME/OU=DEVELOPER/CN=RECIPIENTS/CN=SUES;-------------EDIT----------------; 3. Remove existing user permissions on an existing folder;Name = \Existing FolderMailboxDN = /O=ACME/OU=DEVELOPER/CN=RECIPIENTS/CN=SUES;; Remove existing users;ExchangePermissions = -; Tom Sawyer; Mark Twain

Hi Tony, Thanks, this got around what now appears to be a two-part question. I have now successfully added our Service Account with full granted permissions on the target mbx archive.Paul

Have just tested on my system and Tony's suggestion works. Also the technote that I sent will only strip the permissions for one archive even though it specifies vaultname instead of archive name

Deleted Account

17 Replies

Stormonts
Level 5
17 years ago
Does running the script that you listed only remove the "Account Unknowns" or does it zap all legitimate permissions from mailboxes as well?

If you zap the archive then all of the permissions including the unknown should be removed. A sample script that we use to perform this task is:

[Directory]
DirectoryComputerName   = ServerXXX
Sitename    = EVSiteXXX

[VaultPermissions]
vaultname= VaultXXX
zap     = True
TonySterling
Moderator
17 years ago
It will remove all of them but then when you synchronize your users the legitimate permissions will re-populate.
Stormonts
Level 5
17 years ago
I'm trying this script using out settings:

[Directory]
DirectoryComputername = BRONZE
SiteName = IMS Enterprise Vault

[VaultPermissions]
vaultname = IMS Vault Store
zap     = True

But I'm getting the following error:

Creating privileged MAPI session ...

Parsing input file: c:\tools\evault\zap_all.ini

Error parsing command file: c:\tools\evault\zap_all.ini, error follows:

Line number in error:   6
Section in error:   VaultPermissions
Attribute in error: vaultname
Value in error:     IMS Vault Store
TonySterling
Moderator
17 years ago
You are getting that b/c it appears you are putting the name of the Vault Store and not an Archive.

If you want to do all the archive you can refer to the Utilities guide in the Policy Manager section for more details, but here is the excerpt:

ArchiveName
Mandatory. Identifies the archive to which the permission settings are applied.
If there are multiple folders with the same name and you specify a name, Policy Manager modifies only the first one that it finds. In this case, you must use archive IDs to specify the archives.
Possible values:
The name of an archive
An archive ID
ALL (permissions are applied to all journal, shared, and mailbox archives in the specified vault site)
ALL_JOURNAL (permissions are applied to all journal archives)
ALL_SHARED (permissions are applied to all shared archives)
ALL_MAILBOX (permissions are applied to all mailbox archives)
Stormonts
Level 5
17 years ago
I now ran:

[Directory]
DirectoryComputername = BRONZE
SiteName = IMS Enterprise Vault

[ArchivePermissions]
ArchiveName = ALL_MAILBOX
zap = True

And it processed through all of the archives, but the "Account Unknown" SID is still in each account. I tried to synch mailbox permissions, but that didn't change anything.
TonySterling
Moderator
17 years ago
After you ran the zap and before you ran the synch did you check the permissions?
Stormonts
Level 5
17 years ago
Ran this script in EVPM:

[Directory]
DirectoryComputername = BRONZE
SiteName = IMS Enterprise Vault

[ArchivePermissions]
ArchiveName = ALL_MAILBOX
zap = True

Screen then says:

"Processing permissions for the archive: Smith, Mark (IMS)"
"Processing permissions for the archive: Doe, John (IMS)"

Before permission sync or provisioning, I looked at the security for a couple of the accounts that were supposedly processed but the "Account Unknown" is still there.

Forum Discussion

Deleted Account

17 Replies

Related Content

Delete Symantec account

S3 bucket deleting Access 3350

Backup Exec 15 - How to delete/replace System Logon Account

VOX Accounts

Delete after making copies in Oracle Archive Logs backup

Recent Discussions

EV Client Reset for MAC book

Attachments in Mails - EnterprsieVault

Enterprise Vault MPIP encrypted email decryption is not working

Defender 365 detecting malware in a CAB/DVSSP file

Broken link