Forum Discussion

Darren_Broughto's avatar
20 years ago

Permissions on Mailbox Archives - automatically set permissions

When I look at the permissions on a few of our users mailbox archives, as well as their own, I see my own user account. I don't want this so when I try to remove my account I get the message "Account username cannot be removed as it has automatically set permissions associated with it" I have top level permissions throughout Exchange, but I would expect to see this on all the users if this were the case. Does anyone know how I can remove these "higher" permissions.

Thanks
  • Darren,

    the Reg Key is IncludeInheritedRights. It is documented on Page 53 of the Version 6 Admin Guide (http://ftp.support.veritas.com/pub/support/products/Exchange_Mailbox_Archiving_Unit/277778.pdf). It's got a "Legacy Name" so I guess version 6 can apply it within the Admin Console rather than you having to stick in a registry key.

    Helpfully the manual doesn't tell you where to put the key if you aren't at ver 6 yet and there doesn't appear to be any other documentation. How unusual.

    HKLM\Software\KVS\Enterprise Vault\Agents.

    It's a DWORD. 1 = include them (don't do this!) 0 = don't (but this should be the default EV behavior anyway)

    So there you go. You only need apply this if you think EV might be exhibiting bug behavior.

    Hope this is helpful


    David
    http://messy.bravehost.com/
  • Darren,

    I suspect you have full access permissions on everyone's mailbox in Exchange. These are replicated through into EV.

    I wouldn't advise that your day to day account has the ability to read everyones email in your company. Your auditors won't like it apart from anything else.

    If you want this access quickly then set yourself up another admin account (or better, a group) and give it the permissions and take them off your day to day account. Remember that if you ever need to get into people mailboxes quickly you can always use the "Run As..." option (on an XP box).

    I hope this helps

    There is also a registry setting to exclude inherited rights but I'm guessing you already have this set (you'd be mad not to) and I've a feeling it's default behavious from about SP3 onwards.

    Hope this helps, let me know.

    David
    http://messy.bravehost.com/
  • I think you're right, we need to set up separate logonsfor full access to mailboxes. You've got me a bit worried though. What is the registry setting to exclude inherited rights. We're on SP5 of KVS and SP3 for Exchange.
  • Darren,

    the Reg Key is IncludeInheritedRights. It is documented on Page 53 of the Version 6 Admin Guide (http://ftp.support.veritas.com/pub/support/products/Exchange_Mailbox_Archiving_Unit/277778.pdf). It's got a "Legacy Name" so I guess version 6 can apply it within the Admin Console rather than you having to stick in a registry key.

    Helpfully the manual doesn't tell you where to put the key if you aren't at ver 6 yet and there doesn't appear to be any other documentation. How unusual.

    HKLM\Software\KVS\Enterprise Vault\Agents.

    It's a DWORD. 1 = include them (don't do this!) 0 = don't (but this should be the default EV behavior anyway)

    So there you go. You only need apply this if you think EV might be exhibiting bug behavior.

    Hope this is helpful


    David
    http://messy.bravehost.com/