Forum Discussion

NaturesRevenge's avatar
12 years ago

EVPM and Vault permissions "zap"

This tech article is straight forward and I have used it successfully in the past:

http://www.symantec.com/business/support/index?page=content&id=TECH44818


Our environment has changed a little bit, and I'm struggling to successfully zap permissions.

EV 904 and Exchange 2007 were originally in DomainA. EV 904 continues to be in DomainA, but all mailboxes have moved to Exchange 2010 in DomainB. (Linked mailboxes, linked back to the original AD user objects in DomainA). There is a two-way transitive trust between DomainA and DomainB.

There are a subset of mailboxes that I inherited full vault permissions to, due to "full access" assigned to the mailbox. These mailboxes now exist in DomainB, and are also disabled. I'm not having success with my EVPM syntax.

This ends successfully but does not "zap" the permissions like I need it to:

evpm.exe" -e <Exchange2007MailboxServer in DomainA> -m SA-EVault -f ZapSpecificVaultPerms.ini

 

This produces "Error creating privileged MAPI session"

evpm.exe" -e <Exchange2010CASArray in DomainB> -m SA-EVault -f ZapSpecificVaultPerms.ini

 

Same errror with this syntax:

evpm.exe" -e <Exchange2010MailboxServer in DomainB> -m SA-EVault -f ZapSpecificVaultPerms.ini

 

Service account SA-EVault exists in DomainA and has full mailbox permissions within DomainB.

  • try specifying an Exchange 2010 mailbox server name, rather than CAS

  • yup definitely specify the exchange mailbox server
    also for the system mailbox use the smtp:EVAdmin@domainb.com

    Also make sure when you run the EVPM you are running as the EVAdmin
    try creating a new outlook profile, connecting to the Exchange 2010 server using the same smtp address that you'd use in the evpm command and make sure you can connect without it prompting for credentials

  • try specifying an Exchange 2010 mailbox server name, rather than CAS

  • yup definitely specify the exchange mailbox server
    also for the system mailbox use the smtp:EVAdmin@domainb.com

    Also make sure when you run the EVPM you are running as the EVAdmin
    try creating a new outlook profile, connecting to the Exchange 2010 server using the same smtp address that you'd use in the evpm command and make sure you can connect without it prompting for credentials

  • Allow me to sheepishly report that the solution was two parts "big brains Rob and JW3" and one part "I need to stop being an idiot".

    I did need to reference the FQDN of the actual mailbox server that was the active DAG for the particular mailbox database. I used the SMTP address for the EV service account. I had DTRACE watch EVPM while I was testing this and I noticed that it was complaining that it couldn't find the EV service account in the GAL. That struck me as odd because, well, it's there. But what I had failed to do was this:

    After the mailbox move, disable the mailbox, wait a minute and then reconnect it back to the linked user object in the old domain. That step I had not performed. As soon as I did that, ta da - empty permissions list on targeted Vault.

    Thanks guys.