10-30-2013 05:52 AM
I need to find permissions that where added to an archive via the EV management console. I have over 20k archives so using permissionbrowser.exe is not an option. Anyone have a utility or sql script that can help me out?
Solved! Go to Solution.
10-30-2013 06:09 AM
Hi Donnal,
Please try following SQL Script :
Use EnterpriseVaultDirectory
Select AA.ArchiveName, RT.VaultEntryId AS ArchiveID, ac.ACEType as PermissionType, TT.SID from Archive AA
Inner join ACE AC
on aa.RootIdentity = ac.RootIdentity
Inner join Trustee TT
ON TT.TrusteeIdentity = AC.TrusteeIdentity
INNER JOIN Root RT
ON RT.RootIdentity = AA.RootIdentity
---Archive those don't have permission would not come in this list. PermissionType '0' mean archive have only Automactic permission, 1 mean only manual permssion via VAC (in case of shared/fileserver/PF), 2 mean it has combination of automatiac/manual permission.
--It will also not give granular information such permission level such read/write/delete or Deny/allow.
--These SID can be taken in excel sheet and You may need to run other powershell/AD script for user/group with associated SID then need to compare (need to do some research in google to findout any easy way to get SID with user/group)
10-30-2013 06:03 AM
Hello Donnal,
Unfortunately, the archive permissions are encrypted in the Enterprise Vault Directory database in binary format. Even though if you can read the permissions using a SQL query, you won't be able to determine what user has permissions over the archive. There is another thread where this issue was discussed befoire, I'll try to find out the link.
10-30-2013 06:07 AM
Here is the link
https://www-secure.symantec.com/connect/forums/sql-query-6
I hope this helps.
10-30-2013 06:09 AM
Hi Donnal,
Please try following SQL Script :
Use EnterpriseVaultDirectory
Select AA.ArchiveName, RT.VaultEntryId AS ArchiveID, ac.ACEType as PermissionType, TT.SID from Archive AA
Inner join ACE AC
on aa.RootIdentity = ac.RootIdentity
Inner join Trustee TT
ON TT.TrusteeIdentity = AC.TrusteeIdentity
INNER JOIN Root RT
ON RT.RootIdentity = AA.RootIdentity
---Archive those don't have permission would not come in this list. PermissionType '0' mean archive have only Automactic permission, 1 mean only manual permssion via VAC (in case of shared/fileserver/PF), 2 mean it has combination of automatiac/manual permission.
--It will also not give granular information such permission level such read/write/delete or Deny/allow.
--These SID can be taken in excel sheet and You may need to run other powershell/AD script for user/group with associated SID then need to compare (need to do some research in google to findout any easy way to get SID with user/group)
10-30-2013 06:33 AM
Is that the same post from this link?
https://www-secure.symantec.com/connect/forums/need-some-script-or-way-extract-list-users-each-vaults
10-31-2013 12:02 AM
Hi Donnal,
Have you run the script. If you face issue , please let me know.
11-01-2013 12:39 AM
Hi Donnal,
Have you got the required result.
Please let us know.
11-01-2013 05:54 AM
Yes with this query and pulling all SID's from AD I was able to get the information I needed. Thanks for your help with this.
11-11-2013 12:35 AM
Hi Donnal,
Thanks for your reply.
Could you mark as solution for the comment which help you to solve your issue.
12-03-2013 10:34 PM
Hi,
Thanks for marking as solution.