cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Permissions incorrectly set on user's vaulted items.

Go to solution
Kathy_Dean
Level 4

‎03-30-2006 06:17 AM

I am receiving this warning in the EV log for user JSeals. Everyone can view/search this user's vaulted items and we don't want that. No one but himself should see his vaulted items.
I have checked his permissions on his mailbox and I can't see where these permissions are set. He has no Delegates set up either.
The only permissions set on his vaulted mailbox is himself.
The folder path below indicates N/A.

Any ideas?


Event Type:Warning
Event Source:Enterprise Vault
Event Category:Archive Task
Event ID:3285
Date:3/25/2006
Time:3:05:19 AM
User:N/A
Computer:FWA-EVARCH
Description:
The folder has Default permissions set that grant all users access to this folder. By default, this has not been synchronized to the users archive.

MailboxDn: /o=AlliedVan/ou=FWA/cn=Recipients/cn=navlcorp/cn=JSeals
FolderPath:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

‎03-31-2006 02:18 PM

EV 5.0 cp1a there was a change made.

Permission synchronization
Previously, the default Enterprise Vault behavior was to include the Defaultand Anonymous permissions when synchronizing each mailbox with its default archive. If these user settings had been modified this had the side-effect of allowing users to view other users' archives.

Now, by default, Enterprise Vault does not synchronize the Default and Anonymous permissions.

There are now two registry entries you can use on the Archiving Service computer to control the behavior. After you install 5.0 CP1a, Enterprise Vault will automatically remove existing Default and Anonymous user settings from archives unless you use the registry entries to specify otherwise.

Create the registry entries under the following key:

HKY_LOCAL_MACHINE
\Software
\KVS
\Enterprise Vault
\AgentsThe entries are as follows:

Name Description Possible values
IncludeDefOrAnonPermsFromSynch DWORD.
Controls whether Enterprise Vault synchronizes the Default and Anonymous permissions.
0 (Default) � Do not synchronize Default or Anonymous permissions
1 � Synchronize Default and Anonymous permissions

NoWarnForDefOrAnonPerms DWORD
Controls whether Enterprise Vault creates a warning entry in the Application Event log for each folder it finds that has Default or Anonymous permissions set.
0 (Default) � Warn when a folder has Default or Anonymous permissions set
1 � Do not warn when a folder has Default or Anonymous permissions set


The Application Event log entries look similar to the following:

Date: 29/06/2004 Source: Enterprise Vault
Time: 18:00:42 Category: Archive Service
Type: Warning Event ID: 3284
User: N/A
Computer: DEMODescription:
The folder has Anonymous permissions set that grant all users access to
this folder. By default, this has not been synchronized to the users archive.MailboxDn: /o=Admin/ou=First Administrative
Group/cn=Recipients/cn=HardyO
FolderPath: Inbox

View solution in original post

0 Kudos
8 REPLIES 8

Go to solution
Scott_Anderso1
Level 4

‎03-30-2006 08:11 AM

There are several settings that might be of help in the advanced properties:

Go to your Mailbox Policy properties and the Advanced tab.

Under Archiving General, check out these settings:

Include default and anonymous permissions
Inherited permissions
Synchronize folder permissions
Warn if default or anonymous permissions exist
0 Kudos

Go to solution
David_Messenger
Not applicable

‎03-30-2006 08:56 AM

Kathy,

the user has delegated this Folder in Outlook to give the Default user full access. Big security issue and very nice of EV to warn you!

Either find the user or open her mailbox as a primary (i.e. with a new Outlook profile). Find the folder. Right click. Properties. Permissions. Set deafult to "none".



David
0 Kudos

Go to solution
Kathy_Dean
Level 4

‎03-30-2006 12:39 PM

David,
Thank you very much! The delegation was actually done at the root level of the user's mailbox in Outlook not thru the Delegation option which gives the right at the Inbox level.
0 Kudos

Go to solution
David_Messeng1
Level 6

‎03-30-2006 12:46 PM

I hate that default account. EV really exposes it (with the pull down boxes and Archive Exploder) which originally filled me with horror but now I think it might be a Good Thing.
0 Kudos

Go to solution
Michael_Bilsbor
Level 6
Accredited

‎03-31-2006 01:44 PM

Hi,

History lesson. In V5.0 we originally 'synced' permissions like Default but that just highlighted the problems of Default being set on systems (I once saw a VP mailbox which everyone in the company could have accessed.....)

So we made a change not to sync it but I got us to put that event in to the product to help highlight the security issue that the customer might have. The idea is that once you're happy with what mailboxes/folders have default then you can set a registry key so that EV subsequently doesn't give you those warnings.
0 Kudos

Go to solution
David_Messeng1
Level 6

‎03-31-2006 01:48 PM

Dodo,

what ver stops default synch then?
0 Kudos

Go to solution
TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

‎03-31-2006 02:18 PM

EV 5.0 cp1a there was a change made.

Permission synchronization
Previously, the default Enterprise Vault behavior was to include the Defaultand Anonymous permissions when synchronizing each mailbox with its default archive. If these user settings had been modified this had the side-effect of allowing users to view other users' archives.

Now, by default, Enterprise Vault does not synchronize the Default and Anonymous permissions.

There are now two registry entries you can use on the Archiving Service computer to control the behavior. After you install 5.0 CP1a, Enterprise Vault will automatically remove existing Default and Anonymous user settings from archives unless you use the registry entries to specify otherwise.

Create the registry entries under the following key:

HKY_LOCAL_MACHINE
\Software
\KVS
\Enterprise Vault
\AgentsThe entries are as follows:

Name Description Possible values
IncludeDefOrAnonPermsFromSynch DWORD.
Controls whether Enterprise Vault synchronizes the Default and Anonymous permissions.
0 (Default) � Do not synchronize Default or Anonymous permissions
1 � Synchronize Default and Anonymous permissions

NoWarnForDefOrAnonPerms DWORD
Controls whether Enterprise Vault creates a warning entry in the Application Event log for each folder it finds that has Default or Anonymous permissions set.
0 (Default) � Warn when a folder has Default or Anonymous permissions set
1 � Do not warn when a folder has Default or Anonymous permissions set


The Application Event log entries look similar to the following:

Date: 29/06/2004 Source: Enterprise Vault
Time: 18:00:42 Category: Archive Service
Type: Warning Event ID: 3284
User: N/A
Computer: DEMODescription:
The folder has Anonymous permissions set that grant all users access to
this folder. By default, this has not been synchronized to the users archive.MailboxDn: /o=Admin/ou=First Administrative
Group/cn=Recipients/cn=HardyO
FolderPath: Inbox
0 Kudos

Go to solution
David_Messeng1
Level 6

‎04-01-2006 08:26 AM

What a bout Public Folders (don't archive them but always interested)
0 Kudos