cancel
Showing results for 
Search instead for 
Did you mean: 

Enterprise Vault mailboxes have "Automatically set" permissions

kylehancock
Level 3

Hi everyone,

Question for the group. This could be something I'm missing easily, but wanted some clear guidance on dealing with the issue.

So I've got users who have access to everyone's vault. When I attempt to remove their access, I am told they cannot be removed as they have "automatically set" permissions associated with it. Now I've read that I can "zap" the permissions. What I want to do is make it so everyone has access to their own vaults and no one elses. I found the EVPM.exe and a folder called EVPMScripts that has a file called GrantVSAAccess.ini in it.

[Directory]

DirectoryComputerName=Server Name
Site Name= Site

[ArchivePermissions]

ArchiveName = ALL
GrantAccess = delete read write,Service Account

I'm assuming this is where I need to go access the permissions so not everyone and their mother access to everyone's vaults. Do I need to make a new  ini file and run that? How exactly do I zap these permissions and reset everyone to just have their own?

Thanks everyone!

1 ACCEPTED SOLUTION

Accepted Solutions

WiTSend
Level 6
Partner

You'll need to use the Exchange Management Console (ECM) and remove the permissions from the associated mailboxes.  EV automatically assigns the permissions that are on the mailbox.  Inherited permissions being uncheck only prevents container level permissions from being set on the archive, but any addiitonal permissions set directly on the mailbox will automatically be assigned.

View solution in original post

6 REPLIES 6

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

if a permission is automatically set it means that it was inherited from Exchange so the next time sync runs, it'll be applied again.

TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

Sounds like you need to uncheck sync Inherited Permissions

Incorrect or undesired permissions applied to archives.

Article:TECH126736  |  Created: 2010-01-18  |  Updated: 2014-08-22  |  Article URL http://www.symantec.com/docs/TECH126736

 

kylehancock
Level 3

Tony,

Microsoft took away the "Mailbox Rights" on Active Directory on Exchange 2010, so I have no way of doing the first set of steps in this article. I did try the second part, and inherited permissions are already set to OFF.

Any other ideas?

TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

What do you have set for Synchronize folder permissions?

Synchronize folder permissions (Exchange Archiving General setting)
Description
 Controls whether synchronization of delegate and shared folder permissions within mailboxes are synchronized. If these are not synchronized, only mailbox owners have access to the corresponding archives. For example, this prevents delegates, from having access to mailbox archives.
 
Supported values
 Off. Folder permissions are not synchronized.

On (default). Folder permissions are synchronized.
 

 

kylehancock
Level 3

The tasks for my mailbox server have the "Mailbox Properties and Permissions" checked. I unchecked the "Mailbox Properties and Permissions" and synced it against my own account. The sync completed, but I am still showing users who have permissions against me and I can't remove them without still getting the same error.

WiTSend
Level 6
Partner

You'll need to use the Exchange Management Console (ECM) and remove the permissions from the associated mailboxes.  EV automatically assigns the permissions that are on the mailbox.  Inherited permissions being uncheck only prevents container level permissions from being set on the archive, but any addiitonal permissions set directly on the mailbox will automatically be assigned.