Forum Discussion

aRandomVOX's avatar
aRandomVOX
Level 3
11 months ago

EVPM - Unable to ZAP Permissions. No exchange server in the environment.

Hello, we have a bit of a unique environment and I'm struggling with a requirment.

We want to remove all(most) of the permissions from the mailbox archives.

The permissions are "automatically set" so can't be removed simply from the console.

This is a restored/recovered EV environment from after a randsomware incident that affected the entire company windows landscape.

Post recovery of the greater environment (Active Directory, Business Critical Servers,etc), we pivoted directly to O365 and never restored or rebuilt the original exchange server.

It seems like everything I've read points to requiring Exchange to be in place for EVPM to do it's job.

Is there any way to strip permissions from mailbox archives, maybe in SQL where I don't need to lean on an actual exchange server?

  • So it has been a while, but have you tested this. There is always a little confusion around the zapping functionality. There is a zapping of the mailbox... which naturally requires Exchange connectivity and then there is the zapping of the archive, which is used to remove all permissions associated at the archive or archive folder level of the archive. 

    IIRC, that latter did not require Exchange server connectivity to run and remove archive permissions... as there is a valid use case where you could have the permissions locked out and no longer have the Exchange server or. 

    I do believe this data is stored in the DB but would not recommend trying to hack it out without support guidance. 

    Here is a KB on how to try to set up the zap and it appears that a PS commandlet was added in 12.4 to do it too:

    https://www.veritas.com/support/en_US/article.100017306

     

     

  • Thank you for the reply!

    I do understand the differences in zapping mailbox vs archive and I'm trying to acheive Archive zapping.

    I would also have thought that performing a zap would not rely on the exchange server, but all my errors thus far compain about mapi sessions against the exchange server.

    The PS commands are for "manually" set permissions. And do not effect the "automatically" set permissions that seem to have been inherited from exchange.

    I did notice in reviewing the article agian that it claims the [ArchivePermissions] section was introduced in 14.1

    I am using 14.0

    However the article outline EVPM syntax (which includes [ArchivePermissions] is under a subheading for EV 12.4

    So I don't know. Support tried to float the idea of spinning up an exchange server, but there's no appetite for that in this environment.

    If upgrading to 14.1 will get me the functionality I'm looking for. I think that would be doable.

    • GertjanA's avatar
      GertjanA
      Moderator

      Hi,

      [ArchivePermissions] section, introduced in Enterprise Vault 14.1, replaces the earlier [VaultPermissions] section. Existing scripts containing a [VaultPermissions] section will still work, but it is recommended to use [ArchivePermissions] in all new scripts.

      I assume your INI file looks like this:

      [Directory]
      DirectoryComputerName=kvsvault
      SiteName=archivesite

      [ArchivePermissions]
      ArchiveName=John Doe
      Zap=True

      --

      Instead of using the ArchiveName, use the archiveid, which is on the Advanced Tab of the archive properties.

      For the powershell, see this  KB. At the bottom, it shows variable AutoGranted, which should be used to edit Automatically Set permissions.

  • That is correct. My ini file looks like that.
    I was using the ArchiveID
    And I tried changing ArchivePermissions to VaultPermissions just in case.
    Same errors.

    I am reviewing the Article now and will make an attempt at using PS again.

    If you happen to know the syntax off the top of your head for a remove all auto-granted permissions from the particular Archive one liner, that would be awesome.

  • "This cmdlet only removes the manually set permissions. You cannot use this cmdlet to remove the automatically set permissions."

    Where you see AutoGranted mentioned, it's specifying the details that are displayed with the Get commands.

    The remove Commands are limited to "manually set permissions:

    So I'm still stuck. I was able to find an older article where a user pointed to a SQL query but if it did work previously, it no longer works as the column that would affect permissions cannot be set to null.

    If I can determine the hash of a specific user that I'm OK with have access to all archives and replace the existing permissions with that (as opposed to being null)

    I hate to have to even consider this.

    Edit: and I am still working with support but they are slow to provide anything actionable.