Forum Discussion

NaturesRevenge's avatar
NaturesRevenge
Level 5
13 years ago

Exchange Mailbox permissions and Vault permissions

EV902
Exchange 2007 SP3 RU2

Our organization has roughly 9,000 mailboxes and about 2,000 of those are shared mailboxes. Permissions to these shared mailboxes are either assigned directly at the mailbox using Active Directory / Exchange security (ADUC or PowerShell) or the owner of the mailbox assigns permissions at the root of the mailbox (reviewer, editor, owner permissions, etc).

Enterprise Vault seems to acknowledge the permissions that are set via AD but not when the owner assigns permissions at the mailbox level. Because our org is as large as it is, I'm not necessarily looking to change the way we issue mailbox permissions, but I will if it means a more seamless Exchange > EV relationship.

Can EV see the mailbox-level permissions somehow, and issue permissions accordingly? Or do I need to use EVPM to script these permissions?

As always, I'm very grateful for any comments and assistance!

A J

Enterprise Vault
Information Governance
  • TonySterling's avatar
    TonySterling
    13 years ago

    I think you are trying to over analyze this just a tad.  If you want to verify exactly what permissions are on the archive use permissionbrowser.exe as JW2 mentioned above.  I think that should give you a level of comfort moving forward.

    regards,

    Tony

8 Replies

Sort By
  • JesusWept3's avatar
    JesusWept3
    Level 6
    13 years ago
    How are you determining what's being set and what's not? Typically anything through AD will be on the mailbox level and you will see the permissions set on the archive itself through the Vault Admin Console, but for delegation you won't see them on the archive permissions as they will be on a folder level basis To view these permissions, go to \Enterprise Vault\permissionsbrowser.exe and you will see exactly what users will be able to access the archive
  • NaturesRevenge's avatar
    NaturesRevenge
    Level 5
    13 years ago

    I noticed that "TonySterling" posted a reply, but it does not show up here. The synopsis of his comments were to check to see if I had "sync folder permissions" set to ON or OFF. It was set to OFF; I changed it to ON and ran a synchronization task, including folder permissions, across all vaults. However, perhaps I am misunderstanding the usage of this setting.

    The particular scenario is this: a shared mailbox, at the very top level of the store, has a couple of distribution groups that have "owner" or "reviewer" permissions assigned to the mailbox. This provides them permissions to the mailbox, but none of these permissions translate automatically to permission to the Vault of this shared mailbox. I'll need to use EVPM to assign these permissions, won't I?

  • JesusWept3's avatar
    JesusWept3
    Level 6
    13 years ago
    Well did the sync work? The thing is when you delegate permissions in outlook you are gving folder level access, even if you do t at the mailbox name in outlook you are just giving permissions to top of information store, it's a folder So granting is right that you do need folder permission sync to be on
  • TonySterling's avatar
    TonySterling
    Moderator
    13 years ago

    I was having some issues with the internet connection at the airport and I thought it had double posted. Opps!

  • NaturesRevenge's avatar
    NaturesRevenge
    Level 5
    13 years ago

    Did the sync work? It appears that it did not but it very well could be because I don't understand its functionality.

    The administrator guide states: Controls whether synchronization of delegate and shared folder
    permissions within mailboxes are synchronized. If these are not synchronized, only mailbox owners have access to the corresponding archives. For example, this prevents delegates, from having access to mailbox archives.

    I have turned this value to ON and then I ran a synchronization on a specific shared mailbox. The synchronization task included:

    Archiving Settings
    Mailbox properties and permissions
    Folder hierarchy and permissions

    At the top of the information store for this particular mailbox, there are a couple of distribution groups with permissions assigned: Owner and Reviewer. Permissions to a Vault can have three values:

    Read
    Write
    Delete

    Perhaps I am over-analyzing this, but I would assume that an information store permission value of "Owner" would inherit all three Vault permissions. "Reviewer" permission would inherit the "Read" Vault permission.

    If this isn't the case, I will resort to EVPM for issuing permissions. Thanks again.

  • TonySterling's avatar
    TonySterling
    Moderator
    13 years ago

    I think you are trying to over analyze this just a tad.  If you want to verify exactly what permissions are on the archive use permissionbrowser.exe as JW2 mentioned above.  I think that should give you a level of comfort moving forward.

    regards,

    Tony

  • NaturesRevenge's avatar
    NaturesRevenge
    Level 5
    13 years ago

    Thank you, Tony and JW2. I was utilizing PermissionBrowser.exe just now and confirmed - using the "manual" selection - that my EVPM script issued the permissions I asked it to. I wish those permissions would visually appear by browsing to the archive and checking the permissions tab, but I'm going to just pick my battles today! :)

  • NaturesRevenge's avatar
    NaturesRevenge
    Level 5
    13 years ago

    ...and the permissions show up this morning within the archive properties. Thanks to all.