Tough One :: Removing "Automatically Set" permissions
Okay - before everyone rushes in with the quick solutions... =)
1) We have checked all policies they are not currently set to allow Inherited Permissions, Synchronize Permissions is now OFF, and Include Default and Anonymous is set to OFF.
2) We have run the EVPM script to Zap Archive Permissions (multiple times).
3) We have checked for permissions both in AD and Exchange as well as Outlook Delegation to try to justify these automatically set permissions and have found nothing.
4) The registry entry HKLM\Software\KVS\Enterprise Vault\Agents\InclueInheritedRights is NOT present.
This server is running EV 7.5 SP 4
I have three Mailbox Vaults that have one of our Admins "Automatically Set" on them. These three mailboxes all use policies that are used by hundreds of other users - the Admin isn't explicitly added to their vaults, AD accounts, Mailboxes or anything that other Admins aren't as well (all by Domain Admin groups, etc).
I've tried everything I can think of to remove the Admin from the vaults with no luck. Using PermissionBrowser this is what I find ::
_______________
Control: SE_SELF_RELATIVE | SE_DACL_PRESENT
Owner:
SID: None
Group:
SID: None
Dacl:
Header:
AceType: ACCESS_ALLOWED_ACE_TYPE
AceFlags: CONTAINER_INHERIT_ACE
Mask: 0x105BF
DV_DS_HIDE_FOLDER
DV_DS_DELETE_ARCHIVE
DV_DS_SEARCH_ARCHIVE
DV_DS_DELETE_FOLDER
DV_DS_ADD_FOLDER
DV_DS_READ_FOLDER
DV_DS_DELETE_ITEM
DV_DS_ADD_ITEM
DV_DS_READ_ITEM
Sid:
SID: S-1-5-21-2000478354-492894223-839522115-2356
Name: PermittedAdmin
DomainName: FRUSTRATED
Header:
AceType: ACCESS_ALLOWED_ACE_TYPE
AceFlags:
Mask: 0x4BF
DV_DS_HIDE_FOLDER
DV_DS_SEARCH_ARCHIVE
DV_DS_DELETE_FOLDER
DV_DS_ADD_FOLDER
DV_DS_READ_FOLDER
DV_DS_DELETE_ITEM
DV_DS_ADD_ITEM
DV_DS_READ_ITEM
Sid:
SID: S-1-5-21-2000478354-492894223-839522115-2634
Name: MailboxOwner
DomainName: FRUSTRATED
____________________
Anyone have any good suggestions / thoughts on how to purge these rights? I know I can add explicit DENY rules, but the idea of cleaning up an environment doesn't really make me want to go in there and just slap some cover-up on this problem..
Thanks in advance,
--Micah
What did your EVPM script look like?
Maybe you were using the ArchivePermissions section instead of VaultPermissions... you must use VaultPermissions. Check out:
http://seer.entsupport.symantec.com/docs/280196.htm