cancel
Showing results for 
Search instead for 
Did you mean: 

One user has admin permissions

Denise_Sobieraj
Level 4
I have one user who is able to view all archives that the vault account has rights to. I have checked Active Directory, and can find no references to the admin account in her account and vice versa. Is there a tool to see what rights a user account has in EV?
14 REPLIES 14

Maynard_K
Level 6
Employee
\Program Files\Enterprise Vault\permissionsbrowser.exe

Maynard_K
Level 6
Employee
Make that permissionbrowser.exe

jimbo2
Level 6
Partner
Did you find the group?
 
Is the user part of Exchange Admins?
 
Jim S.
 
 

Denise_Sobieraj
Level 4
I used the permissionbrowser utility and here are the results. I have re-checked AD, and the user is not a member of Domain Admins. How can I remove the incorrect permissions for the user?
 
Below is the user's info.
 
Control: SE_SELF_RELATIVE | SE_DACL_PRESENT
Owner:
  SID: S-1-5-21-1222195821-1132349098-91453608-512
  Name: Domain Admins
  DomainName: CHARNT
Group:
  SID: S-1-5-21-1222195821-1132349098-91453608-513
  Name: Domain Users
  DomainName: CHARNT
Dacl:
    Header:
      AceType: ACCESS_ALLOWED_ACE_TYPE
      AceFlags: CONTAINER_INHERIT_ACE
    Mask: 0x204BF
      0x400
      DV_DS_SEARCH_ARCHIVE
      DV_DS_DELETE_FOLDER
      DV_DS_ADD_FOLDER
      DV_DS_READ_FOLDER
      DV_DS_DELETE_ITEM
      DV_DS_ADD_ITEM
      DV_DS_READ_ITEM
    Sid:
      SID: S-1-5-21-1222195821-1132349098-91453608-8063
      Name: GASKS
      DomainName: CHARNT
    Header:
      AceType: ACCESS_ALLOWED_ACE_TYPE
      AceFlags:
    Mask: 0x4BF
      0x400
      DV_DS_SEARCH_ARCHIVE
      DV_DS_DELETE_FOLDER
      DV_DS_ADD_FOLDER
      DV_DS_READ_FOLDER
      DV_DS_DELETE_ITEM
      DV_DS_ADD_ITEM
      DV_DS_READ_ITEM
    Sid:
      SID: S-1-5-21-1222195821-1132349098-91453608-8063
      Name: GASKS
      DomainName: CHARNT
 
My info is below
Control: SE_SELF_RELATIVE | SE_DACL_PRESENT
Owner:
  SID: S-1-5-21-1222195821-1132349098-91453608-500
  Name: Administrator
  DomainName: CHARNT
Group:
  SID: S-1-5-21-1222195821-1132349098-91453608-500
  Name: Administrator
  DomainName: CHARNT
Dacl:
    Header:
      AceType: ACCESS_ALLOWED_ACE_TYPE
      AceFlags:
    Mask: 0x4BF
      0x400
      DV_DS_SEARCH_ARCHIVE
      DV_DS_DELETE_FOLDER
      DV_DS_ADD_FOLDER
      DV_DS_READ_FOLDER
      DV_DS_DELETE_ITEM
      DV_DS_ADD_ITEM
      DV_DS_READ_ITEM
    Sid:
      SID: S-1-5-21-1222195821-1132349098-91453608-12170
      Name: COLED
      DomainName: CHARNT
 

MichelZ
Level 6
Partner Accredited Certified
Denise

Try to resynchronize all permissions

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

Denise_Sobieraj
Level 4
I re-synched...no luck. I have noticed that this only occurs when the user launches AE from Outlook. Through Outlook, AE opens about 20 archives, but not her archive. When she opens OWA and launches AE, she only sees her archives.

MichelZ
Level 6
Partner Accredited Certified
Funny...   :(

Is this only occuring on her own computer, or can you reproduce this on other computers?
Is she able to actually browse those archives (and view items)?

Could you try to clear the IE cache and try it again?

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

jimbo2
Level 6
Partner
It sounds like a caching issue.
 
Jim S.

Denise_Sobieraj
Level 4
I have cleared the cache and she can still see and browse all the archives. I have logged into a test PC with her account and have reproduced the issue. Basically, instead of using her credentials when launching AE through Outlook, she is using the VSA. I have checked her account in AD (Exchange Advanced, Security & Member Of) and can find no reference to a domain admin account or the VSA.

MichelZ
Level 6
Partner Accredited Certified
Strange issue.
I'd suggest filing a case with Symantec.
(Haven't got more ideas for this one)

Sorry.

Could you post your findings here?

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

jimbo2
Level 6
Partner
You can go the reverse.
 
See if she can create a domain user and try other admin functions.
 
Jim S.

Denise_Sobieraj
Level 4
She can view AD, but is unable to add a new user or make changes.

Mojorsn
Level 5
If you look at one of the person's archives that is showing up in AE within the EV console does it show the person who should not have access listed in the permissions tab?

Denise_Sobieraj
Level 4
The user only sees the archives that have explicit Vault Admin permissions. When I view the archives of a user with explicit Vault Admin permissions, they only see their own archive. After extensive conversations with Symantec tech support and Microsoft tech support, the only resolution is to copy the user's AD account and delete the original account. The test copy account we created does not exhibit the same issues.