Solved: Re: Deleted Account

Paul_Costigan · ‎09-19-2006

An account that had it's mailbox archived has been deleted. In the Enterprise Console the account shows up with the Unknown Account & SID. I have tried adding a system account with the permission to get to the vault but each time get a warning window stating Please enter an existing Windows Account Name. This, I assume is because I have left the deleted account SID with permissions, so I try to remove the account permissions and get the error, Account cannot be removed as it has automatically set permissions associated with it.

Q. How do I specify a different account with permissions to this users Archive and then remove the old account SID from it?

TIA,

Paul

TonySterling · ‎09-19-2006

Change the Bill to Account for the Archive to something other than what it is, i.e. the Vault service account.

Then you will be able to add permissions.

View solution in original post

Paul_Grimshaw · ‎09-19-2006

You can remove all auto permissions with an EVPM script but if the mailbox is no longer there then you cannot synchronize any permissions from there so you will have to manually assign permissions to the archive once you have removed them.

http://support.veritas.com/docs/280196

TonySterling · ‎09-19-2006

Change the Bill to Account for the Archive to something other than what it is, i.e. the Vault service account.

Then you will be able to add permissions.

Paul_Costigan · ‎09-20-2006

Hi

Thanks for the reply. This will certainly do what I require with one caveat, it looks as though this will do it at the vault level, the mbx itself is in a vault with several other user's archived mbx's . Is there any way of stripping out the automatically set permissions at the mailbox level?

You have pointed me in the right direction and I have now picked up on the EVPM helpfile on our EV server. In one of the examples below, it shows that you can specify a DN.

In short, can I target a single mailbox in a vault containing several and strip only it's permissions?

Thanks again,

Paul

DIRECTORYCOMPUTERNAME = OURSERVER

SITENAME = CC_Site1

DISTINGUISHEDNAME = /O=ACME/OU=DEVELOPER/CN=RECIPIENTS/CN=SUES

;
-------------EDIT----------------

; 3. Remove existing user permissions on an existing folder

;

Name = \Existing Folder

MailboxDN = /O=ACME/OU=DEVELOPER/CN=RECIPIENTS/CN=SUES

;

; Remove existing users

;

ExchangePermissions = -; Tom Sawyer; Mark Twain

Paul_Costigan · ‎09-20-2006

Hi Tony,
Thanks, this got around what now appears to be a two-part question. I have now successfully added our Service Account with full granted permissions on the target mbx archive.

Paul

Paul_Grimshaw · ‎09-20-2006

Have just tested on my system and Tony's suggestion works. Also the technote that I sent will only strip the permissions for one archive even though it specifies vaultname instead of archive name

TonySterling · ‎09-20-2006

If you set a manual deny permission on the archive for that one user it will override the automatically set grant.

Paul_Costigan · ‎09-20-2006

I'm really pleased with the response on this post, thank you all.

The problem I have is that I actually wish to remove the account unknown (SID) from the permissions on the archive properties of the mailbox.

I suppose it's not really a problem, I'm just trying to be tidy for a change! Although it would be nice to strip out the permissions before the account is deleted.

Stormonts · ‎03-17-2008

Did you ever find a way to actually remove the unknown SID from the permissions box?

Mojorsn · ‎03-18-2008

If you zap the archive then all of the permissions including the unknown should be removed. A sample script that we use to perform this task is:

[Directory]
DirectoryComputerName = ServerXXX

Sitename = EVSiteXXX

[VaultPermissions]
vaultname= VaultXXX
zap = True

Stormonts · ‎03-18-2008

And that will remove only the "Account Unknowns" and will leave any of the legitimate inherited permissions for other mailboxes?

Stormonts · ‎04-09-2008

Does running the script that you listed only remove the "Account Unknowns" or does it zap all legitimate permissions from mailboxes as well?

If you zap the archive then all of the permissions including the unknown should be removed. A sample script that we use to perform this task is:

[Directory]
DirectoryComputerName = ServerXXX

Sitename = EVSiteXXX

[VaultPermissions]
vaultname= VaultXXX
zap = True

TonySterling · ‎04-14-2008

It will remove all of them but then when you synchronize your users the legitimate permissions will re-populate.

Stormonts · ‎04-18-2008

I'm trying this script using out settings:

[Directory]
DirectoryComputername = BRONZE
SiteName = IMS Enterprise Vault

[VaultPermissions]
vaultname = IMS Vault Store
zap     = True

But I'm getting the following error:

Creating privileged MAPI session ...

Parsing input file: c:\tools\evault\zap_all.ini

Error parsing command file: c:\tools\evault\zap_all.ini, error follows:

Line number in error:   6
Section in error:   VaultPermissions
Attribute in error: vaultname
Value in error:     IMS Vault Store

TonySterling · ‎04-18-2008

You are getting that b/c it appears you are putting the name of the Vault Store and not an Archive.

If you want to do all the archive you can refer to the Utilities guide in the Policy Manager section for more details, but here is the excerpt:

ArchiveName

Mandatory. Identifies the archive to which the permission settings are applied.

If there are multiple folders with the same name and you specify a name, Policy Manager modifies only the first one that it finds. In this case, you must use archive IDs to specify the archives.

Possible values:

The name of an archive
An archive ID
ALL (permissions are applied to all journal, shared, and mailbox archives in the specified vault site)
ALL_JOURNAL (permissions are applied to all journal archives)
ALL_SHARED (permissions are applied to all shared archives)
ALL_MAILBOX (permissions are applied to all mailbox archives)

Stormonts · ‎04-18-2008

I now ran:

[Directory]
DirectoryComputername = BRONZE
SiteName = IMS Enterprise Vault

[ArchivePermissions]
ArchiveName = ALL_MAILBOX
zap = True

And it processed through all of the archives, but the "Account Unknown" SID is still in each account. I tried to synch mailbox permissions, but that didn't change anything.

TonySterling · ‎04-23-2008

After you ran the zap and before you ran the synch did you check the permissions?

Stormonts · ‎04-23-2008

Ran this script in EVPM:

[Directory]
DirectoryComputername = BRONZE
SiteName = IMS Enterprise Vault

[ArchivePermissions]
ArchiveName = ALL_MAILBOX
zap = True

Screen then says:

"Processing permissions for the archive: Smith, Mark (IMS)"
"Processing permissions for the archive: Doe, John (IMS)"

Before permission sync or provisioning, I looked at the security for a couple of the accounts that were supposedly processed but the "Account Unknown" is still there.

VOX

Deleted Account