cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Need some script or way to extract list of users to each Vaults ?

Go to solution
John_Santana
Level 6

‎10-20-2013 04:16 PM

Hi People,

Can anyone please assist me with the list of users that have access to each of the Vaults in EV ? for both FSA and Email archive components.

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Go to solution
Pradeep-Papnai
Level 6
Employee Accredited Certified

‎10-20-2013 07:20 PM

Hi John,

I hope you are looking for script which let us know about permission assigned on each EV archive (exchange or fsa), If yes then I don't think we have any way to get assigned permission information via SQL query /Script file other than permission browser tool (c:\program files \ enterprise vault\permissionbrowser.exe), basically permission saves in cypher text (encrypted or unreadable format) in  SQL directory database, which is difficult to read via script /query.

There is one script created by Rob which is available in following link, but I am not sure if that will work.

http://www.symantec.com/connect/downloads/checking-non-standard-folder-permissions

You may wish to contact your partner for customized script if they developed and also put an idea in enhancement portal for this request.

View solution in original post

0 Kudos

Go to solution
GabeV
Level 6
Employee Accredited

‎10-21-2013 06:53 AM

Hi John,

As Ev-Counselor mentioned, the archive permissions are encrypted in the SQL server in binary format. When you look at the properties of an archive, the console reads those permissions and access AD to get the usernames. Unfortunately, a SQL query won't give you the information you are looking for.

View solution in original post

0 Kudos
11 REPLIES 11

Go to solution
Pradeep-Papnai
Level 6
Employee Accredited Certified

‎10-20-2013 07:20 PM

Hi John,

I hope you are looking for script which let us know about permission assigned on each EV archive (exchange or fsa), If yes then I don't think we have any way to get assigned permission information via SQL query /Script file other than permission browser tool (c:\program files \ enterprise vault\permissionbrowser.exe), basically permission saves in cypher text (encrypted or unreadable format) in  SQL directory database, which is difficult to read via script /query.

There is one script created by Rob which is available in following link, but I am not sure if that will work.

http://www.symantec.com/connect/downloads/checking-non-standard-folder-permissions

You may wish to contact your partner for customized script if they developed and also put an idea in enhancement portal for this request.

0 Kudos

Go to solution
John_Santana
Level 6

‎10-20-2013 09:10 PM

Hi EV-Counselor, what I need is a list of who got access to which mailbox or Vaults ?

in Exchange server level I can do the FullAccess permission dump using Powershell, but not sure how to do it in EV.

0 Kudos

Go to solution
GabeV
Level 6
Employee Accredited

‎10-21-2013 06:53 AM

Hi John,

As Ev-Counselor mentioned, the archive permissions are encrypted in the SQL server in binary format. When you look at the properties of an archive, the console reads those permissions and access AD to get the usernames. Unfortunately, a SQL query won't give you the information you are looking for.

0 Kudos

Go to solution
John_Santana
Level 6

‎10-21-2013 03:04 PM

Ah ok, thanks all for the clarification, I was asked this by the auditor regarding who got the access to the Enterprise Vault data. I guess there is no way to do that.

0 Kudos

Go to solution
Pradeep-Papnai
Level 6
Employee Accredited Certified

‎10-21-2013 07:12 PM

We have permissionBrowser.exe which give permission information on archive/archive folder but nothing like script. 

 

0 Kudos

Go to solution
John_Santana
Level 6

‎10-21-2013 08:50 PM

Yes please, where can I get that binary ?

I will need to dump that on to Excel spreadsheet.

0 Kudos

Go to solution
Pradeep-Papnai
Level 6
Employee Accredited Certified

‎10-21-2013 11:44 PM

Use EnterpriseVaultDirectory

Select AA.ArchiveName,  RT.VaultEntryId AS ArchiveID, ac.ACEType as PermissionType, TT.SID from Archive AA

Inner join ACE AC

on aa.RootIdentity = ac.RootIdentity

Inner join Trustee TT

ON  TT.TrusteeIdentity = AC.TrusteeIdentity

INNER JOIN Root RT

ON RT.RootIdentity = AA.RootIdentity

 

---Archive those don't have permission would not come in this list. PermissionType '0' mean archive have only Automactic permission, 1 mean only manual permssion via VAC (in case of shared/fileserver/PF), 2 mean it has combination of automatiac/manual permission.

--It will also not give granular information such permission level such read/write/delete or Deny/allow.

--These SID can be taken in excel sheet and You may need to run other powershell/AD script for user/group with associated SID then need to compare (need to do some research in google to findout any easy way to get SID with user/group)

 

0 Kudos

Go to solution
John_Santana
Level 6

‎10-22-2013 03:27 PM

Cool, that is what I need.

So in this case I must find another way to translate the SID into the DOMAIN\Username format with some other script in excel.

0 Kudos

Go to solution
Pradeep-Papnai
Level 6
Employee Accredited Certified

‎10-22-2013 07:21 PM

Thanks John, Glad to see that our suggestion really helped :) Thanks to Gabe for confirming this behaviour.

 

 

0 Kudos

Go to solution
John_Santana
Level 6

‎10-27-2013 06:06 PM

yes, many thanks to all for the quick reply !

0 Kudos

Go to solution
GabeV
Level 6
Employee Accredited

‎10-28-2013 08:35 AM

Glad to help !!

0 Kudos