cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Restore Basket to PST for Ex Employees

Hello,

I have been requested to restore some emails from ex-employees with a particular phrase match for a court subpoena. These employees mailboxes have been removed from Exchange long ago.

Using the Enterprise Vault service account I can successfully perform a search on relevant mail archives and create a basket of relevant archive items. I have enabled the export to PST option from web search. When I attempt to export the basket to PST, the operation fails and I see Event ID 2227 errors in eventlog with description "User '<unavailable>' failed to restore an item into mailbox '<unavailable>'"

As the employees mailbox does not exist, I am entering server name and mailbox alias of the Enterprise Vault Service account.

Does anyone know if what I'm attempting to do is possible or because the relevant mailbox to the items I'm trying to restore is no longer in existence that this is not possible? My only option being to export the entire archive to PST.

Thank you.

1 Solution

Accepted Solutions
Highlighted
Accepted Solution!

Few questions: What version

Few questions:

What version of EV?
Do you have DA?

I think this might be your issue:

The "Basket Restore" process will fail using Browser Search (search.asp) with Event ID 2227 and Event ID 2270

Problem

The "Basket Restore" process will fail using Browser Search (search.asp) and the following events will be logged:

Error Message

Event 2227 - Retrieval Task
User '<unavailable>' failed to restore an item into mailbox

Event 2270 - Retrieval Task
A queued operation exceeded the retry count and has been discarded
HRESULT: 0xC0040AD8

or

Event 2270 - Retrieval Task
A queued operation exceeded the retry count and has been discarded
HRESULT: 0x80040b36


A DTRACE of the RetrievalTask shows the following:

118685 11:25:35.606 [5276] (RetrievalTask) <5188> EV:M MBXPERM::CCA[/o=<ou>/cn=<domain>/cn=<user> - caller (domain\vaultadmin) does not have rights to the mailbox (0x00000001)
118686 11:25:35.606 [5276] (RetrievalTask) <5188> EV:M CRestorationAgent::UserPermissionsChecks - COM error [0x80040b36]
118687 11:25:35.606 [5276] (RetrievalTask) <5188> EV:M CRestorationAgent::RestoreSaveset - COM error [0x80040b36]


HRESULT 0x80040B36 means AGENTS_W_FAILEDUSERCHECK and usually indicates that the user who tried to restore the item isn't the owner nor an administrator of the mailbox where the user tried to restore the item to.

Cause

8.0 SP3 or higher
Security has been tightened starting in 8.0 SP3 that the vault service account will no longer be able to restore items to anyone's mailbox by design. The restoring user now needs explicit rights to the destination mailbox and permissions to the archive from which the item is being restored.

All versions
If the user entered the wrong Mailbox Alias name, the item is kept in "Restoring" status and won't be restored.

Also note that the same errors occur when restoring shortcuts via Outlook when a user is attempting a restore in a shared mailbox. 

Solution

Due to this change, the restoring user account must have full mailbox access to the mailbox in which the message will be restored.  This can be done via Exchange. 
 
1.  In Active Directory, open the user account that holds the items that are going to be restored, and go to the properties of the account.
a. Click on the Exchange Advanced tab
b. Click Mailbox Rights and give the EVRestoreUser full mailbox access

2.  From the Administration Console, expand the Archives container | Exchange Mailbox.  Add the user who requires access and add read\write permissions
3.  Synchronize the user by going to the properties of the mailbox archive task | synchronization tab | Selected mailboxes | Synchronize, find the user and click the OK button

For Exchange Server 2007, the powershell script below can be used to add permissions.


This can be added from the PowerShell command line

Permission Level:
- FULLAccess

OR

- ChangePermission

In PowerShell command line:

Add-MailboxPermission <User B or Group Mailbox> -AccessRights <Permission Level> -User UserA

For more information on Add-MailboxPermission refer to the Microsoft article below:
 http://technet.microsoft.com/en-us/library/bb124097(EXCHG.80).aspx

 

https://www.linkedin.com/in/awsterling/

View solution in original post

2 Replies
Highlighted
Accepted Solution!

Few questions: What version

Few questions:

What version of EV?
Do you have DA?

I think this might be your issue:

The "Basket Restore" process will fail using Browser Search (search.asp) with Event ID 2227 and Event ID 2270

Problem

The "Basket Restore" process will fail using Browser Search (search.asp) and the following events will be logged:

Error Message

Event 2227 - Retrieval Task
User '<unavailable>' failed to restore an item into mailbox

Event 2270 - Retrieval Task
A queued operation exceeded the retry count and has been discarded
HRESULT: 0xC0040AD8

or

Event 2270 - Retrieval Task
A queued operation exceeded the retry count and has been discarded
HRESULT: 0x80040b36


A DTRACE of the RetrievalTask shows the following:

118685 11:25:35.606 [5276] (RetrievalTask) <5188> EV:M MBXPERM::CCA[/o=<ou>/cn=<domain>/cn=<user> - caller (domain\vaultadmin) does not have rights to the mailbox (0x00000001)
118686 11:25:35.606 [5276] (RetrievalTask) <5188> EV:M CRestorationAgent::UserPermissionsChecks - COM error [0x80040b36]
118687 11:25:35.606 [5276] (RetrievalTask) <5188> EV:M CRestorationAgent::RestoreSaveset - COM error [0x80040b36]


HRESULT 0x80040B36 means AGENTS_W_FAILEDUSERCHECK and usually indicates that the user who tried to restore the item isn't the owner nor an administrator of the mailbox where the user tried to restore the item to.

Cause

8.0 SP3 or higher
Security has been tightened starting in 8.0 SP3 that the vault service account will no longer be able to restore items to anyone's mailbox by design. The restoring user now needs explicit rights to the destination mailbox and permissions to the archive from which the item is being restored.

All versions
If the user entered the wrong Mailbox Alias name, the item is kept in "Restoring" status and won't be restored.

Also note that the same errors occur when restoring shortcuts via Outlook when a user is attempting a restore in a shared mailbox. 

Solution

Due to this change, the restoring user account must have full mailbox access to the mailbox in which the message will be restored.  This can be done via Exchange. 
 
1.  In Active Directory, open the user account that holds the items that are going to be restored, and go to the properties of the account.
a. Click on the Exchange Advanced tab
b. Click Mailbox Rights and give the EVRestoreUser full mailbox access

2.  From the Administration Console, expand the Archives container | Exchange Mailbox.  Add the user who requires access and add read\write permissions
3.  Synchronize the user by going to the properties of the mailbox archive task | synchronization tab | Selected mailboxes | Synchronize, find the user and click the OK button

For Exchange Server 2007, the powershell script below can be used to add permissions.


This can be added from the PowerShell command line

Permission Level:
- FULLAccess

OR

- ChangePermission

In PowerShell command line:

Add-MailboxPermission <User B or Group Mailbox> -AccessRights <Permission Level> -User UserA

For more information on Add-MailboxPermission refer to the Microsoft article below:
 http://technet.microsoft.com/en-us/library/bb124097(EXCHG.80).aspx

 

https://www.linkedin.com/in/awsterling/

View solution in original post

Highlighted

Thanks so much Tony, that did

Thanks so much Tony, that did appear to be the issue. I permissioned myself to the required archives and used a test mailbox as the authenticating exchange mailbox and the restore to pst worked perfectly!

Thanks again!