10-20-2013 04:16 PM
Hi People,
Can anyone please assist me with the list of users that have access to each of the Vaults in EV ? for both FSA and Email archive components.
Thanks.
Solved! Go to Solution.
10-20-2013 07:20 PM
Hi John,
I hope you are looking for script which let us know about permission assigned on each EV archive (exchange or fsa), If yes then I don't think we have any way to get assigned permission information via SQL query /Script file other than permission browser tool (c:\program files \ enterprise vault\permissionbrowser.exe), basically permission saves in cypher text (encrypted or unreadable format) in SQL directory database, which is difficult to read via script /query.
There is one script created by Rob which is available in following link, but I am not sure if that will work.
http://www.symantec.com/connect/downloads/checking-non-standard-folder-permissions
You may wish to contact your partner for customized script if they developed and also put an idea in enhancement portal for this request.
10-21-2013 06:53 AM
Hi John,
As Ev-Counselor mentioned, the archive permissions are encrypted in the SQL server in binary format. When you look at the properties of an archive, the console reads those permissions and access AD to get the usernames. Unfortunately, a SQL query won't give you the information you are looking for.
10-20-2013 07:20 PM
Hi John,
I hope you are looking for script which let us know about permission assigned on each EV archive (exchange or fsa), If yes then I don't think we have any way to get assigned permission information via SQL query /Script file other than permission browser tool (c:\program files \ enterprise vault\permissionbrowser.exe), basically permission saves in cypher text (encrypted or unreadable format) in SQL directory database, which is difficult to read via script /query.
There is one script created by Rob which is available in following link, but I am not sure if that will work.
http://www.symantec.com/connect/downloads/checking-non-standard-folder-permissions
You may wish to contact your partner for customized script if they developed and also put an idea in enhancement portal for this request.
10-20-2013 09:10 PM
Hi EV-Counselor, what I need is a list of who got access to which mailbox or Vaults ?
in Exchange server level I can do the FullAccess permission dump using Powershell, but not sure how to do it in EV.
10-21-2013 06:53 AM
Hi John,
As Ev-Counselor mentioned, the archive permissions are encrypted in the SQL server in binary format. When you look at the properties of an archive, the console reads those permissions and access AD to get the usernames. Unfortunately, a SQL query won't give you the information you are looking for.
10-21-2013 03:04 PM
Ah ok, thanks all for the clarification, I was asked this by the auditor regarding who got the access to the Enterprise Vault data. I guess there is no way to do that.
10-21-2013 07:12 PM
We have permissionBrowser.exe which give permission information on archive/archive folder but nothing like script.
10-21-2013 08:50 PM
Yes please, where can I get that binary ?
I will need to dump that on to Excel spreadsheet.
10-21-2013 11:44 PM
Use EnterpriseVaultDirectory
Select AA.ArchiveName, RT.VaultEntryId AS ArchiveID, ac.ACEType as PermissionType, TT.SID from Archive AA
Inner join ACE AC
on aa.RootIdentity = ac.RootIdentity
Inner join Trustee TT
ON TT.TrusteeIdentity = AC.TrusteeIdentity
INNER JOIN Root RT
ON RT.RootIdentity = AA.RootIdentity
---Archive those don't have permission would not come in this list. PermissionType '0' mean archive have only Automactic permission, 1 mean only manual permssion via VAC (in case of shared/fileserver/PF), 2 mean it has combination of automatiac/manual permission.
--It will also not give granular information such permission level such read/write/delete or Deny/allow.
--These SID can be taken in excel sheet and You may need to run other powershell/AD script for user/group with associated SID then need to compare (need to do some research in google to findout any easy way to get SID with user/group)
10-22-2013 03:27 PM
Cool, that is what I need.
So in this case I must find another way to translate the SID into the DOMAIN\Username format with some other script in excel.
10-22-2013 07:21 PM
Thanks John, Glad to see that our suggestion really helped :) Thanks to Gabe for confirming this behaviour.
10-27-2013 06:06 PM
yes, many thanks to all for the quick reply !
10-28-2013 08:35 AM
Glad to help !!