05-29-2012 03:36 AM
Hi!
We startet with PF-Archiving a few Weeks ago on EV 10 and used one single PF and its subfolders to get the proof, that it is working. At the beginning everyone was happy. The folder showed up in the Archive Explorer for everyone who had granted permissions on the original PF. After a while the PF did not show up any more in Archive Explorer. I checked the Archive in the console and then there was no single permission on that PF in EV anymore. The rights on the original folder in Exchange have not been touched and are still the same.
Running a DTRACE a see the following:
74571 10:39:14.139 [3176] (PublicFolderTask) <11652> EV:L {CFolderHelper::GetFolderSettings:#1109} Synchronising folder permissions for folder [Interne Systeme]
74572 10:39:14.139 [3176] (PublicFolderTask) <11652> EV:M CSynchHelper::SFP(Interne Systeme) - Opening PR_ACL_TABLE
74573 10:39:14.171 [3176] (PublicFolderTask) <11652> EV:M CSynchHelper::SFP(Interne Systeme) - Anonymous permissions exist on this folder
74574 10:39:14.171 [3176] (PublicFolderTask) <11652> EV:M CSynchHelper::SFP(Interne Systeme) - add permissions to dacl
74575 10:39:14.171 [3176] (PublicFolderTask) <11652> EV:M CSynchHelper::SFP(Interne Systeme) - Setting ANONYMOUS permissions to Security Descriptor, Grant Mask = 0x00000002
74576 10:39:14.171 [3176] (PublicFolderTask) <11652> EV:M CSynchHelper::SFP(Interne Systeme) - Set the dacl in the security descriptor
74577 10:39:14.171 [3176] (PublicFolderTask) <11652> EV:M CSynchHelper::SFP(Interne Systeme) - Not updating security descriptor in the database as it hasn't changed
I can see no errors and I don't know why the rights are no longer synchronized correctly. Even when i change the rights on the original PF, the messages from DTRACE look the same. It seems that EV is not able to get the original rights anymore.
Any help is very welcome and thanks in advance!
Solved! Go to Solution.
06-27-2012 01:38 AM
Have you checked the replica schedule and that the correct public folder database is set for the mailbox DB of the system mailbox? If there are multiple replicas for this folder have you left enough time for the replication to occur before synchronizing?
It may also be worthwhile getting a folder permission dump from Exchange 2010 management shell (get-publicfolderclientpermission) to check this corresponds with Outlook.
It could also be a folder higher in the tree has lost its permissions, any break in the permission chain means the lower folders won't be visible in Archive Explorer.
Thanks
Karl
05-29-2012 03:56 AM
What permisions are showing on the PF archive(s) after you have synched the permisions again?
05-29-2012 04:06 AM
The permission list is still completely empty (attachment shows what I mean with completely empty ;-)), while there are several permissions on the original PF. Syncing the permissions is done every night with the Public Folder Task. To get a fast result I used "run now" on the PF-Task to the get permissions synced.
05-29-2012 04:09 AM
Could you enable the dtrace and then perform a sync. on the PF task properties, there should be a synchronise tab (i believe) been a while since i touched PF folder archiving. A 'run now' won't sync the permissions.
05-29-2012 04:56 AM
There is no manual synchronisization for PF. This is part of the regular task, including "run now" and this even in report mode. Sync-Tabs are only available for File und Mailboxes. I just checked this and also got this confirmed checking the EV-Forum.
As far as I can see now, only the rights for Anomymous and "Authenticated Users" are synced. So when I change the permission for Anonymous, those changes are perfectly synced. Only the permissions for everyone else are completely ignored.
05-29-2012 05:46 AM
You're right that you do a run now to get the permissions.
quick question though, what version of exchange is this?
05-29-2012 05:54 AM
It is a Exchange 2010 Server.
05-29-2012 05:56 AM
hold on a second, are you determining the permissions based on the archive properties in the VAC?
What happens when you view it through PermissionsBrowser.exe instead?
05-29-2012 06:07 AM
Further to what JW2 said, please use this:
Article: TECH56331 | | | Created: 2007-01-20 | | | Updated: 2010-12-16 | | | Article URL http://www.symantec.com/docs/TECH56331 |
05-29-2012 06:07 AM
In the VAC the permission list for this public folder archive is completely empty. Looking through PermissionsBrowser I see, that there is Anonymous set. I made an screenshot (attachment) to show you how it looks like in PermissionsBrowser.
05-29-2012 06:24 AM
I worked through this document and used the Permissions Browser to see, that Anonymous has some rights set but no one else. When I change the rights on the Public Folder via Outlook and do a Run Now on the PF-Task, the changed rights for Anonymous are synced to EV. The rights for everyone else on this PF are NOT synced to EV.
06-27-2012 01:38 AM
Have you checked the replica schedule and that the correct public folder database is set for the mailbox DB of the system mailbox? If there are multiple replicas for this folder have you left enough time for the replication to occur before synchronizing?
It may also be worthwhile getting a folder permission dump from Exchange 2010 management shell (get-publicfolderclientpermission) to check this corresponds with Outlook.
It could also be a folder higher in the tree has lost its permissions, any break in the permission chain means the lower folders won't be visible in Archive Explorer.
Thanks
Karl