01-08-2009 08:27 AM
Okay - before everyone rushes in with the quick solutions... =)
1) We have checked all policies they are not currently set to allow Inherited Permissions, Synchronize Permissions is now OFF, and Include Default and Anonymous is set to OFF.
2) We have run the EVPM script to Zap Archive Permissions (multiple times).
3) We have checked for permissions both in AD and Exchange as well as Outlook Delegation to try to justify these automatically set permissions and have found nothing.
4) The registry entry HKLM\Software\KVS\Enterprise Vault\Agents\InclueInheritedRights is NOT present.
This server is running EV 7.5 SP 4
I have three Mailbox Vaults that have one of our Admins "Automatically Set" on them. These three mailboxes all use policies that are used by hundreds of other users - the Admin isn't explicitly added to their vaults, AD accounts, Mailboxes or anything that other Admins aren't as well (all by Domain Admin groups, etc).
I've tried everything I can think of to remove the Admin from the vaults with no luck. Using PermissionBrowser this is what I find ::
_______________
Control: SE_SELF_RELATIVE | SE_DACL_PRESENT
Owner:
SID: None
Group:
SID: None
Dacl:
Header:
AceType: ACCESS_ALLOWED_ACE_TYPE
AceFlags: CONTAINER_INHERIT_ACE
Mask: 0x105BF
DV_DS_HIDE_FOLDER
DV_DS_DELETE_ARCHIVE
DV_DS_SEARCH_ARCHIVE
DV_DS_DELETE_FOLDER
DV_DS_ADD_FOLDER
DV_DS_READ_FOLDER
DV_DS_DELETE_ITEM
DV_DS_ADD_ITEM
DV_DS_READ_ITEM
Sid:
SID: S-1-5-21-2000478354-492894223-839522115-2356
Name: PermittedAdmin
DomainName: FRUSTRATED
Header:
AceType: ACCESS_ALLOWED_ACE_TYPE
AceFlags:
Mask: 0x4BF
DV_DS_HIDE_FOLDER
DV_DS_SEARCH_ARCHIVE
DV_DS_DELETE_FOLDER
DV_DS_ADD_FOLDER
DV_DS_READ_FOLDER
DV_DS_DELETE_ITEM
DV_DS_ADD_ITEM
DV_DS_READ_ITEM
Sid:
SID: S-1-5-21-2000478354-492894223-839522115-2634
Name: MailboxOwner
DomainName: FRUSTRATED
____________________
Anyone have any good suggestions / thoughts on how to purge these rights? I know I can add explicit DENY rules, but the idea of cleaning up an environment doesn't really make me want to go in there and just slap some cover-up on this problem..
Thanks in advance,
--Micah
Solved! Go to Solution.
01-08-2009 10:11 AM
What did your EVPM script look like?
Maybe you were using the ArchivePermissions section instead of VaultPermissions... you must use VaultPermissions. Check out:
http://seer.entsupport.symantec.com/docs/280196.htm
01-08-2009 09:57 AM
After zapping with EVPM, did all the permissions go away temporarily? Until the next synchronization of course...
01-08-2009 10:01 AM
Nothing.. they're stuck in there good! =)
Like I said, I tried zapping a few times, synchronizing - everything I could think of and found in these forums. It did clean up a few other vaults that had some issues with them, but this one tends to stick out.
--Micah
01-08-2009 10:11 AM
What did your EVPM script look like?
Maybe you were using the ArchivePermissions section instead of VaultPermissions... you must use VaultPermissions. Check out:
http://seer.entsupport.symantec.com/docs/280196.htm
01-08-2009 10:12 AM
01-08-2009 10:19 AM
I was under the impression that ArchivePermissions and ArchiveName replaced VaultName and VaultPermissions - in fact in my previous efforts, they were unsuccessful until I changed them from VaultName to VaultPermissions - at least it said that in the Help File.
Interestingly enough.. setting it back to VaultName - it seems to have cleared it.
So I'm a bit confused why it wouldn't work yesterday but works today.. either way - thanks =)
--Micah