Forum Discussion

Jono_K's avatar
Jono_K
Level 2
12 years ago

How do I remove "Automatically Set" permissions on Enterprise Vault exchange archive

I'm using Enterprise Vault version 7.5 and I have the exact same scenario as: https://www-secure.symantec.com/connect/forums/removing-automatically-set-permissions-vaults-where-owner-admailbox-no-longer-exists#comment-2502671 however in that thread I am unable to work out entirely what the solution was. 

The original poster mentions:

"Enterprise Vault Policy Manager did not strip automatically set permissions on archives [Ref 801192, E1063349]
The Enterprise Vault Policy Manager did not strip automatically set permissions when you used the ArchivePermissions section in the initialization file. For example:

[ArchivePermissions]
ArchiveName=John Doe
Zap=True

These settings stripped only manually set permissions on John Doe's archive. They did not strip the permissions automatically inherited from the Exchange mailbox.

This has been fixed."

My scenario is the same in that I have attempted to use EVPM.exe to "zap" permissions from an archive.  It seems to only work on manually set permissions and not on automatically inherited permissions from Exchange.  The OP says "this has been fixed" but does not mention how it was fixed. Does anyone know if there is a solution?

Thanks for your time!

  •  

    Below query wouldbe useful. Replace the archvie name and make sure you take  a backup of the directory database before running the query .

    Use EnterpriseVaultDirectory

    update archiveview

    set AutoSecurityDesc = NULL

    where archivename = 'ABC'

    Close Enterprise Manager or SQL Management Studio

    Refresh the Enterprise Vault Admin Console and check the automatically set permissions on the archiv

  • Well you can do the other way round , by just adding everyone as a deny permission from Vac.

  • And if you dont want Inhertited permissions, you can disable them from policy advanced section.

  • I could be wrong but i think the workaround was [VaultPermissions] and not [archivePermissions]

    You could always just manually remove them from sql too if you wanted

  • Yes you could, but this is really a workaround and not a solution.  This would still leave us with a list of redundant entries in the user permissions and is messy. A majority of our user vaults only have that user's account listed in the permissions which is correct however my goal here is to clean up and fix the other user vaults which look like the screenshot in my original post.

  • The policy already has inherited permissions disabled. This is the problem.

  • [VaultPermissions] appears to be legacy from EV 1-4.x

    I did however try it but it made no difference.  I can tell that my zap ini is targeting and "zapping" the correct user account as manually added permissions get zapped correctly when I run EVPM.  The problem is that inherited permissions (which should not be inheriting as I have them disabled in my policy settings) cannot be zapped and remain in the user's vault permissions.

  •  

    Below query wouldbe useful. Replace the archvie name and make sure you take  a backup of the directory database before running the query .

    Use EnterpriseVaultDirectory

    update archiveview

    set AutoSecurityDesc = NULL

    where archivename = 'ABC'

    Close Enterprise Manager or SQL Management Studio

    Refresh the Enterprise Vault Admin Console and check the automatically set permissions on the archiv