cancel
Showing results for 
Search instead for 
Did you mean: 

Permissions on Mailbox Archives - automatically set permissions

Darren_Broughto
Level 3
When I look at the permissions on a few of our users mailbox archives, as well as their own, I see my own user account. I don't want this so when I try to remove my account I get the message "Account username cannot be removed as it has automatically set permissions associated with it" I have top level permissions throughout Exchange, but I would expect to see this on all the users if this were the case. Does anyone know how I can remove these "higher" permissions.

Thanks
1 ACCEPTED SOLUTION

Accepted Solutions

David_Messeng1
Level 6
Darren,

the Reg Key is IncludeInheritedRights. It is documented on Page 53 of the Version 6 Admin Guide (http://ftp.support.veritas.com/pub/support/products/Exchange_Mailbox_Archiving_Unit/277778.pdf). It's got a "Legacy Name" so I guess version 6 can apply it within the Admin Console rather than you having to stick in a registry key.

Helpfully the manual doesn't tell you where to put the key if you aren't at ver 6 yet and there doesn't appear to be any other documentation. How unusual.

HKLM\Software\KVS\Enterprise Vault\Agents.

It's a DWORD. 1 = include them (don't do this!) 0 = don't (but this should be the default EV behavior anyway)

So there you go. You only need apply this if you think EV might be exhibiting bug behavior.

Hope this is helpful


David
http://messy.bravehost.com/

View solution in original post

4 REPLIES 4

David_Messeng1
Level 6
Darren,

I suspect you have full access permissions on everyone's mailbox in Exchange. These are replicated through into EV.

I wouldn't advise that your day to day account has the ability to read everyones email in your company. Your auditors won't like it apart from anything else.

If you want this access quickly then set yourself up another admin account (or better, a group) and give it the permissions and take them off your day to day account. Remember that if you ever need to get into people mailboxes quickly you can always use the "Run As..." option (on an XP box).

I hope this helps

There is also a registry setting to exclude inherited rights but I'm guessing you already have this set (you'd be mad not to) and I've a feeling it's default behavious from about SP3 onwards.

Hope this helps, let me know.

David
http://messy.bravehost.com/

Darren_Broughto
Level 3
I think you're right, we need to set up separate logonsfor full access to mailboxes. You've got me a bit worried though. What is the registry setting to exclude inherited rights. We're on SP5 of KVS and SP3 for Exchange.

David_Messeng1
Level 6
Darren,

the Reg Key is IncludeInheritedRights. It is documented on Page 53 of the Version 6 Admin Guide (http://ftp.support.veritas.com/pub/support/products/Exchange_Mailbox_Archiving_Unit/277778.pdf). It's got a "Legacy Name" so I guess version 6 can apply it within the Admin Console rather than you having to stick in a registry key.

Helpfully the manual doesn't tell you where to put the key if you aren't at ver 6 yet and there doesn't appear to be any other documentation. How unusual.

HKLM\Software\KVS\Enterprise Vault\Agents.

It's a DWORD. 1 = include them (don't do this!) 0 = don't (but this should be the default EV behavior anyway)

So there you go. You only need apply this if you think EV might be exhibiting bug behavior.

Hope this is helpful


David
http://messy.bravehost.com/

Darren_Broughto
Level 3
Brilliant, thats what I've been after.

Thanks