cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Disable users from EV

Go to solution
giuliod
Level 5

‎12-20-2011 02:02 AM

 

Hi,

I have a lot of users that have been deleted from AD/Exchange without removing them from the provisioning group or disable them, so they appear as active in the Directory DB. They are not displayed when trying to disable them from VAC. 

I know that the correct procedure to delete a user/mbx is first disable it from Vault (eventually archiving everything from it) and then from AD/Exchange, but now I need to take care of the users that have already been deleted (around 100) inappropriately.

Is there any way that I could disable them in order to ensure consistency between the effective number of active users and information within DB. Or maybe a query that I could run against the ExchangeMailboxEntry table to get the deleted user list and then just update the MbxArchivingState value from 1 (enabled) to 2 (disabled).

Thanks for your help.

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
JesusWept3
Level 6
Partner Accredited Certified

‎12-20-2011 07:31 AM

im confused as to where the comments about permissions are coming from?
Anywho, the reason they're not showing up in the disabled list is because the user is no longer provisioned, if you were to do a check in the ExchangeMailboxEntry table, you will see a user that has been deleted, with no provisioning group ID, or desktop policy etc assigned.

The disable process really only does a couple of things, it will change the ArchiveStatus and remove the defaultvaultid from the exchangemailboxentry table and it will update the hidden message for the user, so they can still access archived items, they just wont be able to manually archive or restore messages etc

Since the suer is gone, you can simply just delete the row in ExchangeMailboxEntry if you really wanted to.
The only times you may not want to do this is if you wanted to do a move archive.

So for instance if you've moved a user from one domain to the other without disabling them you would want to keep the ExchangeMailboxEntry there so that when you do the move archive, it can automatically link the user from DomainA to DomainB by use of the exchangeMbxGUID and the LegacyMbxDN

But in this case, all you are worried about is the licensing, well i wouldnt worry about that at all, just due to the fact that Enterprise Vault doesn't actually have the ability to track the amount of active mailboxes and archives, and you pay per active mailbox, not per archive

To determine an infringement, you would have to be audited closely, its not just some report they can pull.  However you can run a simple query yourself to get a rough idea of active enabled mailboxes, you could also use provisioning reports as well to help out

As for permissions, just permission zap the user and assign them manually if need be

https://www.linkedin.com/in/alex-allen-turl-07370146

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
Percy_Vere
Level 6
Employee Accredited

‎12-20-2011 02:22 AM

This may help you -  http://www.symantec.com/docs/TECH35574

The problem you have is that EV knows the SID's of users based on what AD has told it. If those SID's no longer exist in AD then there is no way for you to cross ref them back to their accounts based on the values in EV.

The tables you are interested in are the Trustee, ACE, Root and ExchangeMailboxEntry.

Hope that helps.

0 Kudos

Go to solution
giuliod
Level 5

‎12-20-2011 02:32 AM

Thanks, Percy. I was aware of the technote, but it doesn't help me as I only want to disable the users from EV just to ensure the consistency on the license utilization.

0 Kudos

Go to solution
Percy_Vere
Level 6
Employee Accredited

‎12-20-2011 03:58 AM

Ok, had a play. From the archive name we can determine the primary SID and vice versa but without knowing the name of the deleted account or the SID then there is nothing we can do except manually update the ExchangeMailboxEntry. PermissionsBrowser will only tell you the same as the tables.

The tables in question are actually the Vault, root, ACE and Trustee.

0 Kudos

Go to solution
JesusWept3
Level 6
Partner Accredited Certified

‎12-20-2011 07:31 AM

im confused as to where the comments about permissions are coming from?
Anywho, the reason they're not showing up in the disabled list is because the user is no longer provisioned, if you were to do a check in the ExchangeMailboxEntry table, you will see a user that has been deleted, with no provisioning group ID, or desktop policy etc assigned.

The disable process really only does a couple of things, it will change the ArchiveStatus and remove the defaultvaultid from the exchangemailboxentry table and it will update the hidden message for the user, so they can still access archived items, they just wont be able to manually archive or restore messages etc

Since the suer is gone, you can simply just delete the row in ExchangeMailboxEntry if you really wanted to.
The only times you may not want to do this is if you wanted to do a move archive.

So for instance if you've moved a user from one domain to the other without disabling them you would want to keep the ExchangeMailboxEntry there so that when you do the move archive, it can automatically link the user from DomainA to DomainB by use of the exchangeMbxGUID and the LegacyMbxDN

But in this case, all you are worried about is the licensing, well i wouldnt worry about that at all, just due to the fact that Enterprise Vault doesn't actually have the ability to track the amount of active mailboxes and archives, and you pay per active mailbox, not per archive

To determine an infringement, you would have to be audited closely, its not just some report they can pull.  However you can run a simple query yourself to get a rough idea of active enabled mailboxes, you could also use provisioning reports as well to help out

As for permissions, just permission zap the user and assign them manually if need be

https://www.linkedin.com/in/alex-allen-turl-07370146
0 Kudos

Go to solution
Mike_McC
Level 2

‎12-28-2011 02:23 AM

In order to check the current status of the archives this is the SQL Query you'll need:

use enterprisevaultdirectory
select mbxdisplayname,mbxarchivingstate,LastModified from exchangemailboxentry
where mbxdisplayname ='DisplayName1'
OR mbxdisplayname ='DisplayName2'
order by mbxdisplayname

Just keep adding aditional 'OR mbxdisplayname =' entries for each archive you need to query.

Or to produce a report on all enabled vaults the following will work (handy if the brass are asking for a report):

use enterprisevaultdirectory
select mbxdisplayname,mbxarchivingstate from exchangemailboxentry
where mbxarchivingstate ='1'
order by mbxdisplayname

As was mentioned above you don't really need to disable vaults if the mailbox has been removed, we've only ever done that en-mass if several mailboxes were migrated to anouther mail environment and we needed to move archive.

Hope this helps.

Mike

0 Kudos

Go to solution
JesusWept3
Level 6
Partner Accredited Certified

‎12-28-2011 05:16 AM

If you have a long list of users, use IN instead of OR For example WHERE MbxDisplayName IN ('user1', 'user2', 'user3')
https://www.linkedin.com/in/alex-allen-turl-07370146
0 Kudos