Solved: Hi Donnal, Have you run the

Donnal_Spence · ‎10-30-2013

I need to find permissions that where added to an archive via the EV management console. I have over 20k archives so using permissionbrowser.exe is not an option. Anyone have a utility or sql script that can help me out?

EV_Ajay · ‎10-30-2013

Hi Donnal,

Please try following SQL Script :

Use EnterpriseVaultDirectory

Select AA.ArchiveName, RT.VaultEntryId AS ArchiveID, ac.ACEType as PermissionType, TT.SID from Archive AA

Inner join ACE AC

on aa.RootIdentity = ac.RootIdentity

Inner join Trustee TT

ON TT.TrusteeIdentity = AC.TrusteeIdentity

INNER JOIN Root RT

ON RT.RootIdentity = AA.RootIdentity

---Archive those don't have permission would not come in this list. PermissionType '0' mean archive have only Automactic permission, 1 mean only manual permssion via VAC (in case of shared/fileserver/PF), 2 mean it has combination of automatiac/manual permission.

--It will also not give granular information such permission level such read/write/delete or Deny/allow.

--These SID can be taken in excel sheet and You may need to run other powershell/AD script for user/group with associated SID then need to compare (need to do some research in google to findout any easy way to get SID with user/group)

View solution in original post

GabeV · ‎10-30-2013

Hello Donnal,

Unfortunately, the archive permissions are encrypted in the Enterprise Vault Directory database in binary format. Even though if you can read the permissions using a SQL query, you won't be able to determine what user has permissions over the archive. There is another thread where this issue was discussed befoire, I'll try to find out the link.

GabeV · ‎10-30-2013

Here is the link

https://www-secure.symantec.com/connect/forums/sql-query-6

I hope this helps.

EV_Ajay · ‎10-30-2013

Hi Donnal,

Please try following SQL Script :

Use EnterpriseVaultDirectory

Select AA.ArchiveName, RT.VaultEntryId AS ArchiveID, ac.ACEType as PermissionType, TT.SID from Archive AA

Inner join ACE AC

on aa.RootIdentity = ac.RootIdentity

Inner join Trustee TT

ON TT.TrusteeIdentity = AC.TrusteeIdentity

INNER JOIN Root RT

ON RT.RootIdentity = AA.RootIdentity

---Archive those don't have permission would not come in this list. PermissionType '0' mean archive have only Automactic permission, 1 mean only manual permssion via VAC (in case of shared/fileserver/PF), 2 mean it has combination of automatiac/manual permission.

--It will also not give granular information such permission level such read/write/delete or Deny/allow.

--These SID can be taken in excel sheet and You may need to run other powershell/AD script for user/group with associated SID then need to compare (need to do some research in google to findout any easy way to get SID with user/group)

GabeV · ‎10-30-2013

Is that the same post from this link?

https://www-secure.symantec.com/connect/forums/need-some-script-or-way-extract-list-users-each-vaults

EV_Ajay · ‎10-31-2013

Hi Donnal,

Have you run the script. If you face issue , please let me know.

EV_Ajay · ‎11-01-2013

Hi Donnal,

Have you got the required result.

Please let us know.

Donnal_Spence · ‎11-01-2013

Yes with this query and pulling all SID's from AD I was able to get the information I needed. Thanks for your help with this.

EV_Ajay · ‎11-11-2013

Hi Donnal,

Thanks for your reply.

Could you mark as solution for the comment which help you to solve your issue.

EV_Ajay · ‎12-03-2013

Hi,

Thanks for marking as solution.

VOX

Archive Permission