cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forΒ 
Search instead forΒ 
Did you mean:Β 
Veritas.com
Support

Tough One :: Removing "Automatically Set" permissions

Go to solution
Akkim
Level 2

β€Ž01-08-2009 08:27 AM

Okay - before everyone rushes in with the quick solutions... =)

 

1) We have checked all policies they are not currently set to allow Inherited Permissions, Synchronize Permissions is now OFF, and Include Default and Anonymous is set to OFF.

2) We have run the EVPM script to Zap Archive Permissions (multiple times). 

3) We have checked for permissions both in AD and Exchange as well as Outlook Delegation to try to justify these automatically set permissions and have found nothing.

4) The registry entry HKLM\Software\KVS\Enterprise Vault\Agents\InclueInheritedRights is NOT present.

 

This server is running EV 7.5 SP 4

 

I have three Mailbox Vaults that have one of our Admins "Automatically Set" on them.  These three mailboxes all use policies that are used by hundreds of other users - the Admin isn't explicitly added to their vaults, AD accounts, Mailboxes or anything that other Admins aren't as well (all by Domain Admin groups, etc).

 

I've tried everything I can think of to remove the Admin from the vaults with no luck.  Using PermissionBrowser this is what I find ::

_______________

Control: SE_SELF_RELATIVE | SE_DACL_PRESENT

Owner:

  SID: None

Group:

  SID: None

Dacl:

    Header:

      AceType: ACCESS_ALLOWED_ACE_TYPE

      AceFlags: CONTAINER_INHERIT_ACE

    Mask: 0x105BF

      DV_DS_HIDE_FOLDER

      DV_DS_DELETE_ARCHIVE

      DV_DS_SEARCH_ARCHIVE

      DV_DS_DELETE_FOLDER

      DV_DS_ADD_FOLDER

      DV_DS_READ_FOLDER

      DV_DS_DELETE_ITEM

      DV_DS_ADD_ITEM

      DV_DS_READ_ITEM

    Sid:

      SID: S-1-5-21-2000478354-492894223-839522115-2356

      Name: PermittedAdmin

      DomainName: FRUSTRATED

 

    Header:

      AceType: ACCESS_ALLOWED_ACE_TYPE

      AceFlags:

    Mask: 0x4BF

      DV_DS_HIDE_FOLDER

      DV_DS_SEARCH_ARCHIVE

      DV_DS_DELETE_FOLDER

      DV_DS_ADD_FOLDER

      DV_DS_READ_FOLDER

      DV_DS_DELETE_ITEM

      DV_DS_ADD_ITEM

      DV_DS_READ_ITEM

    Sid:

      SID: S-1-5-21-2000478354-492894223-839522115-2634

      Name: MailboxOwner

      DomainName: FRUSTRATED

____________________

 

Anyone have any good suggestions / thoughts on how to purge these rights?  I know I can add explicit DENY rules, but the idea of cleaning up an environment doesn't really make me want to go in there and just slap some cover-up on this problem..

 

Thanks in advance,

--Micah

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Emmett_Brown
Level 3

β€Ž01-08-2009 10:11 AM

What did your EVPM script look like?

 

Maybe you were using the ArchivePermissions section instead of VaultPermissions... you must use VaultPermissions.  Check out:

 

http://seer.entsupport.symantec.com/docs/280196.htm

 

 

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
Emmett_Brown
Level 3

β€Ž01-08-2009 09:57 AM

After zapping with EVPM, did all the permissions go away temporarily?  Until the next synchronization of course...

0 Kudos

Go to solution
Akkim
Level 2

β€Ž01-08-2009 10:01 AM

Nothing.. they're stuck in there good! =)

 

Like I said, I tried zapping a few times, synchronizing - everything I could think of and found in these forums.  It did clean up a few other vaults that had some issues with them, but this one tends to stick out.

 

--Micah

0 Kudos

Go to solution
Emmett_Brown
Level 3

β€Ž01-08-2009 10:11 AM

What did your EVPM script look like?

 

Maybe you were using the ArchivePermissions section instead of VaultPermissions... you must use VaultPermissions.  Check out:

 

http://seer.entsupport.symantec.com/docs/280196.htm

 

 

0 Kudos

Go to solution
Emmett_Brown
Level 3

β€Ž01-08-2009 10:12 AM

If you check PermissionsBrowser right after you zap (before synch), you should see that all the permissions are gone.
0 Kudos

Go to solution
Akkim
Level 2

β€Ž01-08-2009 10:19 AM

I was under the impression that ArchivePermissions and ArchiveName replaced VaultName and VaultPermissions - in fact in my previous efforts, they were unsuccessful until I changed them from VaultName to VaultPermissions - at least it said that in the Help File.

 

Interestingly enough.. setting it back to VaultName - it seems to have cleared it.

 

So I'm a bit confused why it wouldn't work yesterday but works today.. either way - thanks =)

 

--Micah

 

 

 

 

 

 

0 Kudos