03-16-2012 03:09 AM
Hi,
We seem to be having a problem with archive explorer showing us accounts we don't have access to? We've checked the permissions in exchange and we definatly don't have permissions to some of the mailboxes we can see in Arch Explorer.
Is there anywhere in E.V. you can check these permissions or are they all replicated from exchange?
Were running, exchange 2003, e.v. 9.0
Thanks in advance...
Paul.
Solved! Go to Solution.
03-17-2012 01:20 PM
Well the thing with Everyone and Anonymous is that they are on each and every single mailbox however they have absolutely no permissions, so its basically setting an automatic deny for any person, it is then individual users that are granted the access.
So here is one thing I suggest you do.
Look in Archive Explorer and see your mailbox and someone elses mailbox.
Then go to Outlook and attempt to open that users mailbox and folder and see if Exchange or Outlook lets you in, if it does, then EV is just doing what Outlook is already allowing.
But heres one thing that it could possibly be, do you use FSA at all?
I have seen sometimes people have FSA set up to archive personal shares and they see the users shared folder thats archived through EV as being as a mailbox as opposed to an FSA share etc
03-16-2012 04:40 AM
There has to be permission coming from somewhere as we do not make up permissions so if you are confident that there is nothing from an AD perspective then these users could have switched on outlook delegation by maybe switching on access at that level.
The easiest thing to do to confirm all access on the archive is to use the permissionbrowser.exe tool that you can find in the enterprise vault directory.
This is a GUI based tool and you can select the archive that you can see in your AE list and check out all of the ACL's etc that are on that archive.
From there you will understand what has happened.
03-16-2012 04:56 AM
Used that and it's strange as one user is still listed as having access to a specific account, although in AD he doesn't have permissions? He does say he may have done many moons ago?
Could there be something wrong with the sync on the database not taking the access away?? Is this where the permissions that permissionbrowser see's?
03-16-2012 05:05 AM
03-16-2012 06:52 AM
I dont think anything would be wrong with database as such . Check the permission browser .
03-16-2012 06:52 AM
No we checked the delegated permissions also and there's nothing set ? Really really strange !!!
03-16-2012 04:46 PM
Have you checked if "Everyone" or "Authenticated Users" have full access? Also - Have you tried to zap permission completely off archive and re-sync the mailbox account with folder permissions?
03-17-2012 01:20 PM
Well the thing with Everyone and Anonymous is that they are on each and every single mailbox however they have absolutely no permissions, so its basically setting an automatic deny for any person, it is then individual users that are granted the access.
So here is one thing I suggest you do.
Look in Archive Explorer and see your mailbox and someone elses mailbox.
Then go to Outlook and attempt to open that users mailbox and folder and see if Exchange or Outlook lets you in, if it does, then EV is just doing what Outlook is already allowing.
But heres one thing that it could possibly be, do you use FSA at all?
I have seen sometimes people have FSA set up to archive personal shares and they see the users shared folder thats archived through EV as being as a mailbox as opposed to an FSA share etc
03-31-2012 11:56 AM
We had similare issue and ZAPing helped us to solve the issue, follow below article to ZAP http://www.symantec.com/business/support/index?page=content&id=TECH35614