cancel
Showing results for 
Search instead for 
Did you mean: 

One user has admin permissions

I have one user who is able to view all archives that the vault account has rights to. I have checked Active Directory, and can find no references to the admin account in her account and vice versa. Is there a tool to see what rights a user account has in EV?
14 Replies

Re: One user has admin permissions

\Program Files\Enterprise Vault\permissionsbrowser.exe

Re: One user has admin permissions

Make that permissionbrowser.exe

Re: One user has admin permissions

Did you find the group?
 
Is the user part of Exchange Admins?
 
Jim S.
 
 

Re: One user has admin permissions

I used the permissionbrowser utility and here are the results. I have re-checked AD, and the user is not a member of Domain Admins. How can I remove the incorrect permissions for the user?
 
Below is the user's info.
 
Control: SE_SELF_RELATIVE | SE_DACL_PRESENT
Owner:
  SID: S-1-5-21-1222195821-1132349098-91453608-512
  Name: Domain Admins
  DomainName: CHARNT
Group:
  SID: S-1-5-21-1222195821-1132349098-91453608-513
  Name: Domain Users
  DomainName: CHARNT
Dacl:
    Header:
      AceType: ACCESS_ALLOWED_ACE_TYPE
      AceFlags: CONTAINER_INHERIT_ACE
    Mask: 0x204BF
      0x400
      DV_DS_SEARCH_ARCHIVE
      DV_DS_DELETE_FOLDER
      DV_DS_ADD_FOLDER
      DV_DS_READ_FOLDER
      DV_DS_DELETE_ITEM
      DV_DS_ADD_ITEM
      DV_DS_READ_ITEM
    Sid:
      SID: S-1-5-21-1222195821-1132349098-91453608-8063
      Name: GASKS
      DomainName: CHARNT
    Header:
      AceType: ACCESS_ALLOWED_ACE_TYPE
      AceFlags:
    Mask: 0x4BF
      0x400
      DV_DS_SEARCH_ARCHIVE
      DV_DS_DELETE_FOLDER
      DV_DS_ADD_FOLDER
      DV_DS_READ_FOLDER
      DV_DS_DELETE_ITEM
      DV_DS_ADD_ITEM
      DV_DS_READ_ITEM
    Sid:
      SID: S-1-5-21-1222195821-1132349098-91453608-8063
      Name: GASKS
      DomainName: CHARNT
 
My info is below
Control: SE_SELF_RELATIVE | SE_DACL_PRESENT
Owner:
  SID: S-1-5-21-1222195821-1132349098-91453608-500
  Name: Administrator
  DomainName: CHARNT
Group:
  SID: S-1-5-21-1222195821-1132349098-91453608-500
  Name: Administrator
  DomainName: CHARNT
Dacl:
    Header:
      AceType: ACCESS_ALLOWED_ACE_TYPE
      AceFlags:
    Mask: 0x4BF
      0x400
      DV_DS_SEARCH_ARCHIVE
      DV_DS_DELETE_FOLDER
      DV_DS_ADD_FOLDER
      DV_DS_READ_FOLDER
      DV_DS_DELETE_ITEM
      DV_DS_ADD_ITEM
      DV_DS_READ_ITEM
    Sid:
      SID: S-1-5-21-1222195821-1132349098-91453608-12170
      Name: COLED
      DomainName: CHARNT
 

Re: One user has admin permissions

Denise

Try to resynchronize all permissions

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

Re: One user has admin permissions

I re-synched...no luck. I have noticed that this only occurs when the user launches AE from Outlook. Through Outlook, AE opens about 20 archives, but not her archive. When she opens OWA and launches AE, she only sees her archives.

Re: One user has admin permissions

Funny...   :catsad:

Is this only occuring on her own computer, or can you reproduce this on other computers?
Is she able to actually browse those archives (and view items)?

Could you try to clear the IE cache and try it again?

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

Re: One user has admin permissions

It sounds like a caching issue.
 
Jim S.

Re: One user has admin permissions

I have cleared the cache and she can still see and browse all the archives. I have logged into a test PC with her account and have reproduced the issue. Basically, instead of using her credentials when launching AE through Outlook, she is using the VSA. I have checked her account in AD (Exchange Advanced, Security & Member Of) and can find no reference to a domain admin account or the VSA.

Re: One user has admin permissions

Strange issue.
I'd suggest filing a case with Symantec.
(Haven't got more ideas for this one)

Sorry.

Could you post your findings here?

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

Re: One user has admin permissions

You can go the reverse.
 
See if she can create a domain user and try other admin functions.
 
Jim S.

Re: One user has admin permissions

She can view AD, but is unable to add a new user or make changes.

Re: One user has admin permissions

If you look at one of the person's archives that is showing up in AE within the EV console does it show the person who should not have access listed in the permissions tab?

Re: One user has admin permissions

The user only sees the archives that have explicit Vault Admin permissions. When I view the archives of a user with explicit Vault Admin permissions, they only see their own archive. After extensive conversations with Symantec tech support and Microsoft tech support, the only resolution is to copy the user's AD account and delete the original account. The test copy account we created does not exhibit the same issues.