Showing results for 
Search instead for 
Did you mean: 

Automatically set permissions modification problem

Level 3

I modified automatically set permissions on different ways:
1. I used zap file
2. I modified RootIdentity field in ROOT table
Modifications were successed, but the original settings returned one day later.


Level 6

I'm going to assume you mean that you modified the AutoSecurityDescID column rather than the RootIdentity. (If you actually did manage to modify RootIdentity, you've got bigger problems in store and should probably call Support.)


Automatically set permissions are *supposed* to come back on their own. These are the permissions that are set by synchronizing from the content source. So if you're archiving an Exchange mailbox, then every time the task synchronizes the mailbox, it clones the mailbox permissions onto the archive as the Automatic permissions. (Substitute "File Share," "Domino mailbox," or "SharePoint site" as appropriate for the content you're archiving.)

If you want the Automatic permissions on the archive to change for good, then change them on the content source object (e.g., on the Exchange mailbox).

If you want the archive permissions to differ from those of the content source object, use the archive's Manual permissions to extend or restrict as needed.



Partner    VIP    Accredited Certified

If you want the permissions to be synced, verify that in the policy you have Inherited permissions set to on. Also verify the sync of the mailboxes is happening. If permissions do not sync as expected, verify eventlog on EV server. There might be an issue with EV 'reading' permissions for mailbox.

Regards. Gertjan

GertjanA -

I'm having a problem where I have archives that have users automatically added to them that at one point had access to the users mailbox but no longer do.  The permissions got added automatically, but not removed.  My policy says that inheriting permissions is off.  I'm not clear how settings could have been automatically added with this policy setting set to off.  Could you clarify this setting a bit?  I'm not sure if turning it on will remove the auto-added permissions like I want, or make the situation worse.

Thanks - and sorry maybe this is a tangent from the OP's question.


The inherited permissions setting is a little more complicated than it seems, so now is as good a time as any for a public service announcement on this stuff.


Enterprise Vault will always synchronize the permissions that are assigned directly on an Exchange mailbox to the archive that is associated with that mailbox. As far as I know, this cannot be turned off, although we offer several advanced options to tweak the behavior somewhat. These advanced options are Synchronize folder permissions, Include default and anonymous permissions, and Inherited permissions.

Synchronize folder permissions: With this enabled, EV will synchronize folder-level permissions in the mailbox to the corresponding folders in the archive. This is useful when Alice grants Bob access to some folders in her mailbox but not to the entire mailbox. The result is that, just like Exchange, Bob has access to some folders in Alice's archive but not to the entire archive. If you disable this, then EV only synchronizes the permissions between the top-level containers (mailbox and archive), and any granular permissions beneath that are not synchronized.

Include default and anonymous permissions: With this enabled, EV will synchronize permissions assigned to the Default and Anonymous user objects onto the corresponding folders in the archive. The default is to skip permissions assigned to these objects, but if you use these permissions in a meaningful way in your organization, you can turn this on to get them synchronized to the archive.

Inherited permissions: This controls whether the archive will inherit permissions from Active Directory objects higher up than the mailbox. That is, if somebody has assigned specific permissions to the Exchange Mailbox Database, Administrative Group, or Server objects in AD, this setting controls whether these permissions will be assigned to the archive as well. This was more of a going concern for older versions of Exchange, where mailboxes were more closely tied to a single Exchange server. We would find customers who granted, say, the Vault Service Account Full Control permissions on the Servers container (for instance, CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DomainName,DC=com) as a way of giving it access to all mailboxes, and they wanted that access to inherit down to the archives as well. That's the sort of situation in which you'd want to turn on the Inherited permissions setting. Any permission that is assigned at the mailbox level or below is not affected by this setting.


Moving on from the infodump, @Moltron1, for your situation, you'll want to use EVPM to remove those permissions, as described here.