VOX

If you're talking about all the different archives you may have given the EVAdmin Read/Write/Delete rights to, then this is unfortunately not possible with the current tools, you would have to go through the vault admin console and make sure the user isn't listed in any archive.

And even then someone could have given the user access through delegate permissions, in which case you would have to use PermissionsBrowser.exe to go through each archive and each folder to see if its listed, and hope that your users isn't in a security group nested in another security group that has access to a particular archive.

If you're talking on a local machine:
Type 'whoami /all' in a command prompt and it will give you a list of all the groups the user belongs to, all the different privileges like 'SeImpersonatePrivilege' and so on and so forth.

If you're talking about Exchange:
The exchange org should already have the EV Admin account having Send As/Receive As on the entire organization, and Send On Behalf As granted to the EV System Mailboxes.

Depending on the version of exchange, with 2003 you would do this through the Management Console, where you can show the hidden security page and set it there and have it go through the entire topology.

Through Exchange 2007 it was recommended to use ADSI Edit to grant the privileges and rights there, and in Exchange 2010 it was recommended to use the powershell scripts.

The EVAdmin account should have access to anyones mailbox at any time on any exchange server without being prompted for a username and password

Ok thx, so Symantec don't have any way to know what are the actual permissions of my VSA in the Exchange have.

And, can I export the permissions to another user? I have 2 Ev servers, and I need to export the permissions from one VSA to another. It is possible?

Thx

So you are asking what permissions does the EVAdmin account have in exchange right?
As in Send As/Receive As etc or are you talking about where users may have granted delegate permissions?

All you need to do is just run the permissions script against another VSA account i suppose if you want to swap it all over, but you'd have to treat it like a new install really.

i.e the new VSA needs to be DBO of all of the EnterpriseVault databases, it needs to be db_creator in SQL, it needs to be a local admin on the EV Server, etc.

One thing however you can only have one VSA, the closest you can get to having two is to have tasks Run As the new user that you set up, but it will not allow you to do things like USL, so you would have to change the username/password in the vac for the new VSA to take over.

But to the original question, those are all exchange questions, so I wouldn't expect symantec to have a tool to list out permissions that the user has in exchange, since thats all on Microsoft and i'm sure they have powershell commands.

That being said if you look at the set up guides, or the exchange 2010 powershell scripts for EV, it will show you right there what permissions its looking to set

I know about the script, but we can't use it because a problem on the security. We need to assign the permissions manualy.

Thx!