cancel
Showing results for 
Search instead for 
Did you mean: 

Enterprise Vault in Archive Explorer some users can see other users archived items

awb123
Level 2

Morning all,

 

When opening Archive Explorer through Microsoft Outlook 2007 you are redirected and in the top left corner of the window is your name displayed which is expandable and shows you all your archived email.

 

Here is the problem, I have a few users that have their own name showing and working with no issues.  However, they are also displaying other users archived items.  So another users name is also present and expandable and they are able to view another users archived items.

 

Please can someone shed some light to why this is happening and how to stop this from happening?

 

Many thanks for your time and if you require any further information please ask.

 

Andy

24 REPLIES 24

RVD
Level 5
Partner

Hi Andy,

 

When users can see more archives than their own in Archive Explorer, than this means that they also have access on the Exchange mailboxes of those users.

Security from Exchange mailboxes is synchronized towards the EV archives.

 

So, the 'issue' you report is in fact standard behaviour. If the specific users may not see the archives of the other users, you have to check the mailbox security on the involved Exchange mailboxes.

 

greetz,

 

Rudy

 

awb123
Level 2

Hi,

 

sorry for the late reply.

 

I checked a user that has 2 archive explorer mailboxes in view and he did have access rights to that particular users mailbox.  I have removed the access rights and have left this for a few days and he is still able to view that users archive explorer?

 

With the handful of other users they do not currently have any access rights to the mailboxes of the people they can view within their archive explorer.  Further investigation has proven that at some point they used to have access rights but do not anymore.  

 

So my question is how can eliminate the security access rights picked up by enterprise vault when they no longer have the access rights on exchange?  

 

Thanks,

 

Andy

Janaina
Level 3

Hi awb123,

 

Can you check the particular user's archive in Admin console and see if the user(the one who can see two archives in Archive Explorer) is not granted permission on the archive ?

You can also use Permission Browser which is located in Enterprise Vault Install folder on the EV server to check permissions.

Alternative to this is denying permission on the user's archive - synchronizing mailbox and try opening Archive explorer. If you can still see the archive in archive explorer right click on righ pane in AE and refresh

JB22
Level 5
Have you tried to just refresh the view on the left pane where they see the other users archive?

phenian
Level 3

I have exactly the same problem.  I had to give myslef permissions to a number of Exchange mailboxes some time ago and all their vaults popped up within my AE as expected.  I then removed all my permissions to their mailboxes but their vaults are still visible within AE.  I don't have any permissions to their mailboxes within Exchange and the admin console and Permissions Explorer within EV don't show my account listed but their vaults still show up.  I have run numerous resyncs but I can't get rid of the vaults. 

GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

Hello,

 

Make sure that when you sync, you select to sync the Folder hierarchy and permissions too! This will reset the permissions on the archive.

Then, when the sync is done, have the user seeing the additional vaults close Outlook, wait a minute, than restart Outlook. Check.

When the user still sees additional archives, close Outlook, run the evresetclient, start Outlook, check again.

 

Make sure that the sync has run to completion.

 

GJ

Regards. Gertjan

phenian
Level 3

I have run the sync with the Folder permissions set but they are still there.  Where do I find the EVResetclient tool?

phenian
Level 3

Sorry - found the tool.  Closed Outlook, ran the tool successfully, restarted Outlook.  All the vaults are still there.

Any other ideas?

 

GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

HI Phenian,

 

I am pretty sure the syncing should fix the issue. I recall having to wait a while for the actual shared vault 'disappeared', but it does happen. I'll see if I can retrieve my notes for that issue to see what I did.

 

GJ

Regards. Gertjan

phenian
Level 3
Any further ideas - I still have about 20 mailboxes which I don't have access to but appear as vaults in my list/  I also now have a whole load of garbage when i click on search vaults starting with "Results Sorting Please wait" and scrolling down to "Find Now"  There is over a page of this with loads of buttons whcih dont do anything and my actual search button is over a page away - any ideas on that one?

shahss
Not applicable

Hi

Any further ideas anyone - Still having extra mailboxes appearing under archive explorer, despite having NO permission. I have sync the permission and waited and made sure there is no permission set in AD and in exchange etc. I should not be able to see other users mailbox in my archive explorer.

It seems I am havign the same issue as AWB123. Please post if you have any fix/ideas. Thanks.

Shahss

Paul_Grimshaw
Level 6
Employee Accredited Certified

There has to be permission coming from somewhere as we do not make up permissions so if you are confident that there is nothing from an AD perspective then these users could have switched on outlook delegation by maybe switching on access at that level.

The easiest thing to do to confirm all access on the archive is to use the permissionbrowser.exe tool that you can find in the enterprise vault directory.

This is a GUI based tool and you can select the archive that you can see in your AE list and check out all of the ACL's etc that are on that archive.

From there you will understand what has happened.

GuruPrasadNS
Level 4

found it very useful. have just used it and would see the result once sync runs.

Jason_G
Level 4
Certified

is it worth 'zapping' permissions on the archive and then can at least determine if the permissions are still being synched from somewhere or if they have just been hard set somewhere.

If after 'zapping', you can no longer see them, then it was something left over from a change in the past, if the vaults re-appear then it has synched it from somewhere.

Looking into the same thing in the past, I think the following places are where the permissions are taken from:

-Outlook Mailbox permissions
-Outlook Delegates
-EV permissions applied directly from the VAC
-Exchange Mailbox Rights (if you look at the properties of the account in ADUC, click on the 'Exchange Advanced' tab, then 'Mailbox Rights'
-Sometimes permissions on the AD account (if you look at the properties of the account, 'Security' tab)
 

Would be interested in the resolution to this as we have a situation where all members of admin groups (enterprise admins, domain admins etc) have access to a user's vault visible via AE. - ther permissions for this user's AD account or Archive does not appear to be any different to other users.

 

GuruPrasadNS
Level 4

observation is still on - seeing good results.

Jason_G
Level 4
Certified

observation is still on - seeing good results.

 

what do you mean?

GuruPrasadNS
Level 4

i removed inherited permissions from AD after going through the utility permissionbrowser and synced the mailboxes and found permission related alerts and warnings disappeared and also users who use to see other mailbox archives stopped.

jeffakiti
Not applicable
Employee
All products installed and activated are getting updated within the Symantec Endpoint Proctection; except the Virus Definitions for the Win32.11.
We are running on windows 2003  platform.

MichelZ
Level 6
Partner Accredited Certified
Hi

Could you post this again in the Endpoint Protection forums?
This is the "Enterprise Vault" forum, and we're not Endpoint Protection experts. The folks over at the Endpoint Protection forums are able to help you for sure.

https://www-secure.symantec.com/connect/security/forums/endpoint-protection

Cheers



cloudficient - EV Migration, creators of EVComplete.