cancel
Showing results for 
Search instead for 
Did you mean: 

Account cannot be removed (Automatically Set Permissions)

hmh_it
Level 3

Hey All,

I have 2 similar issues one with a current active user and one deleted AD user.

I went into my Archive explorer in Outlook and noticed I had a couple of people archives attached to me and i went to go remove the and was unable to.

First user a "Active Employee"

I go into EVAULT console , go to Archives, select Exchange Mail and go into the permissions for "Active Employee" I see my name there but i cannot remove it as it shows "Automatically Set" 

I've checked the users mailbox and i dont see my name listed anywhere under full mailbox access?

 

2nd user  "Deleted Employee"

I go into EVAULT console , go to Archives, select Exchange Mail and go into the permissions for "Deleted Employee" I see my name there but i cannot remove it as it shows "Automatically Set" 

This user does not have an AD account anymore, so i can't check anything.

 

Any clue, what i need to do?

My account is a regular domain user ( not exch admin or domain admin)

1 ACCEPTED SOLUTION

Accepted Solutions

Pradeep-Papnai
Level 6
Employee Accredited Certified

As Gabe informed, automatic permission cannot be remove from archive manually via VAC by simply deleting it. You need to simply zap the permission by running EVPM script

Open notepad, save this file with '.ini' extension and encoding must be 'unicode'. Put following content.

[Directory]
DirectoryComputerName=kvsvault
SiteName=archivesite

[ArchivePermissions]
ArchiveName=Mary Jones
Zap=True


you need to replace 'kvsvault' with your EV server's name, replace EV site and Archive name would be affected archive. You can put multiple archive or all archive, following values can be put.

ALL (permissions are applied to all journal, shared, and mailbox archives in the specified vault site)
ALL_JOURNAL (permissions are applied to all journal archives)
ALL_SHARED (permissions are applied to all shared archives)
ALL_MAILBOX (permissions are applied to all mailbox archives)

Once you do that, in order see the changes, please REFRESH the vault admin console. Next time you synchronize the correct automatic permission should come from exchange. Please also have a look at below forum link.  

http://www.symantec.com/connect/forums/automatically-set-permissions
 

View solution in original post

3 REPLIES 3

GabeV
Level 6
Employee Accredited

Automatic permissions are assigned by default and cannot be removed from the VAC manually. You need to remove them using an EVPM csript:

How to remove all permissions from an archive using Enterprise Vault Policy Manager (EVPM).
http://www.symantec.com/docs/TECH44818

After that, you should be able to assign permissions maually.

I hope this helps.

JesusWept3
Level 6
Partner Accredited Certified

The thing is, if its automatically set for the active user, it will just come right back on the next sync because it would have removed you if you werent listed on the users mailbox somewhere (such as a delegate user)


For the inactive user as Gabe mentioned, you'll have to zap the permissions, no automatic permissions will be set as there will be no mailbox to sync those permissions from, so if someone needs access, you will have to grant them permissions on the entire archive

So this may lead to some people losing access to an archive they once had, and you'd have to give them full permissions, and now they may see more than what they were previously allowed to see 

https://www.linkedin.com/in/alex-allen-turl-07370146

Pradeep-Papnai
Level 6
Employee Accredited Certified

As Gabe informed, automatic permission cannot be remove from archive manually via VAC by simply deleting it. You need to simply zap the permission by running EVPM script

Open notepad, save this file with '.ini' extension and encoding must be 'unicode'. Put following content.

[Directory]
DirectoryComputerName=kvsvault
SiteName=archivesite

[ArchivePermissions]
ArchiveName=Mary Jones
Zap=True


you need to replace 'kvsvault' with your EV server's name, replace EV site and Archive name would be affected archive. You can put multiple archive or all archive, following values can be put.

ALL (permissions are applied to all journal, shared, and mailbox archives in the specified vault site)
ALL_JOURNAL (permissions are applied to all journal archives)
ALL_SHARED (permissions are applied to all shared archives)
ALL_MAILBOX (permissions are applied to all mailbox archives)

Once you do that, in order see the changes, please REFRESH the vault admin console. Next time you synchronize the correct automatic permission should come from exchange. Please also have a look at below forum link.  

http://www.symantec.com/connect/forums/automatically-set-permissions