Solved: Exporting Email Archive Permissions on bulk.

jprknight-oldax · ‎09-08-2011

Hi all,

I have a requirement to try and find email archives which no longer have a corresponding AD account, and which no users have access to.

Our situation is we have, I suspect, a large number of leavers who were not correctly processed by our leavers procedure. So their email archives are still sitting in EV, no-one has access to the data. All they have on them is 'Account Unknown (S-1-5...' So the SID for the account which as long since been deleted.

I am wondering if anyone knows a way to export email archives with their permissions? I can then use some get-qaduser in powershell to run through the list. I can then work out which email archives no longer have an AD account and more importantly no users have access to the data. Giving me the best possible case and justification for deletion.

The closest I have found so far on the forums is https://www-secure.symantec.com/connect/forums/query-enterprise-vault-archive-permissions , but it looks as though this does not work anymore, I just get MAPI errors when the script tries to connect into the mailbox.

Any help much appreciated.

Jeremy.

JesusWept3 · ‎11-25-2011

The owning trustee is the billing account and not who has permissions

https://www.linkedin.com/in/alex-allen-turl-07370146

View solution in original post

GertjanA · ‎09-08-2011

Hi Jeremy,

Did you see this one?

https://www-secure.symantec.com/connect/forums/how-find-orphaned-archives-no-mailboxes-being-archive...

That should at least get you the list of 'orphaned archives'.

Possibly with that list you can do some funky SQL stuff to get the permissions?

Regards. Gertjan

jprknight-oldax · ‎09-08-2011

Hi GertjanA,

Thanks very much for pointing me in that direction!

The SQL query from JesusWept2: Do you or JW2 happen to know if this is looking for archives which specifically do not have any valid users on the permissions list? So no users have access to them? I have checked a couple and it looks like it, but I have 1146 archives produced from the query so chances are a lot of them won't be accessible by anyone.

Thanks for supporting EV Dashboard in your signature as well ;)

Thanks again!

Jeremy.

GertjanA · ‎09-09-2011

Hi Jeremy,

Your welcome. As far as I could determine, this looks for archives that have an incorrect billing account. As far as I can determine, it does not look for users on the permission-list. It might be possible to use the outcome of this query to run a query on the archives mentioned (I am assuming the permissions to the archives are also stored somewhere in SQL) to check the accounts that have permission on these.\

I am not a SQL-guru, sorry.

Perhaps JW can assist.

Regards. Gertjan

jprknight-oldax · ‎09-09-2011

Hi,

Thanks. I know what you mean, normally I can look at some SQL and work with it, but this one is too complex for me.

JW: If you are around could you let me know your thoughts?

Thanks.

Jeremy.

Percy_Vere · ‎11-24-2011

If you open the ArchiveView view under the Directory database you can get the Users Name and rootid. From the rootid you get the owningTrusteeID in the root table and then from there you can search the ACE table for related sids of that OwningTrusteeID

For Example:

Joe Bloggs is rootid 42670 and VaultEntryID1F0630D6614FAF94AB7913426F8B66D871110000evsite

Root Table in EV Dir:

RootID VaultEntryID OwningTrusteeID

42670 1F0630D6614FAF94AB7913426F8B66D871110000evsite 24

ACE Table in EV Dir:

RootID TrusteeID ACEType

42670 24 0

Trustee Table in EV Dir:

24 S-1-5-21-2144874109-375287735-1566985067-51254

Hope that helps, don't ask me for the query to do that :)

JesusWept3 · ‎11-25-2011

The owning trustee is the billing account and not who has permissions

https://www.linkedin.com/in/alex-allen-turl-07370146

VOX

Exporting Email Archive Permissions on bulk.