cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

What's the expected/correct behaviour of granting the full access to all mailboxes for VSA?

Sani_B
Level 6
Partner Accredited

‎05-28-2015 01:14 AM

Hi!

I have a question about how things should work...

Environment: exchange 2013 CU8, EV 11.0.1 CHF1/outlook 2013 SP1 (32bit).

 

The VSA’s requirements in Exchange

  • The VSA requires full access to all mailboxes and public folders

This has been done by running the provided script from the installation package.

 

Now in Exchange it shows that the VSA account has full access rights to my test account.

In EV (yes the synchronization has been run, not a new environment) permission tab in my test accounts archives permission shows no other accounts but the test account and permission browser too - is this how it should be? Or should the VSA account be shown there as well??

 

I tried to open archived message through owa 2013 - it said that the operation failed and in EV servers event log has event: 3424

The User Domain\VSA' attempted to restore an item into mailbox 'Test User'. The request has failed because the user does not have full mailbox access or administrator rights to this mailbox.

I asked the exchange admin to check that it indeed showed the full access right and the inheriting had not been disabled etc. Everything looked as it should from the exchange point of view.

The exchange admin then using management shell removed the VSA full access permissions and put them back. I synchronized the archive permissions and now it shows the VSA account both as inherited rights in the permission tab of the archive properties and in the permission browser view.

Also now opening an archived item in owa 2013 works fine!

 

So I ask how should those permissions be? Should the VSA have visible inherited permissions on the EV side as well and the provided permission script just doesn't do things correctly or what's the problem? All I know that now that the VSA has them now the owa part works too...

 

Sani B

 

12 REPLIES 12

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

‎05-28-2015 08:22 AM

what you saw originally was the expected behavior. the way i would have gone about it for testing would have been to either use the test account by logging in as that account to outlook or owa or grant the VSA access to the test archive from the EV console

0 Kudos

Sani_B
Level 6
Partner Accredited

‎05-28-2015 09:44 PM

If the original state of the permission not showing in the archive properties is correct - why? I mean shouldn't EV inherit the full access to the archives as well and show it? I know I've not seen the VSA permissions automatically in the archive properties in any of the earlier EV versions but isn't it new to the owa 2013 (the maill app) to use the restore function to open the items and could it be necessary to have the inherited VSA permissions there? Just asking because those permissions was exactly what the error message was about...

 

And yes granting the VSA permissions manually from the archive properties also works for this but that can't be right that one should have to manually do it from the EV side??

0 Kudos

SebastianM_
Level 3
Partner Accredited

‎05-29-2015 12:39 AM

Hi Sani,

this behaviour is right "by design". The full access to the Exchange mailbox is needed for the VSA to successfully archive the mailbox. But the full access to the archive is not needed for technical purposes, so it's logical to not inherit this permission. But you will see that other full access permissions get inherited well.

If you want to assign VSA permissions to all archives, you can user EVPM (EV Policy Manager) for this. You can refer to the following technote for this: https://support.symantec.com/en_US/article.TECH69114.html

Just run this as a scheduled task once a day and you will have the access rights on all archives.

I hope I could assist you. :)

Kind regards,

Sebastian

0 Kudos

Sani_B
Level 6
Partner Accredited

‎05-29-2015 02:27 AM

Okay another direction;

the error message stated clearly that the problem was "The request has failed because the user does not have full mailbox access or administrator rights to this mailbox" Giving the VSA the full permission to the archive solves this BUT since this is not how it should work - what other permissions can it be referring to if this is not how it should be solved? Any idea?

0 Kudos

SebastianM_
Level 3
Partner Accredited

‎05-29-2015 12:44 PM

Hi Sani, If you have already the full access right on Exchange, then there is nothing more you can have. With full access you are perfectly able to "write" to the mailbox, meaning to restore an item. Since giving the permission on the archive solves this issue, it indicates that you have a permission problem on the archive, which is nomal because by design the VSA is not assigned any archive permissions. So maybe the event description in the event log is just not very specific to this issue?! Do you have the need to be able to restore items from OWA using the VSA?
0 Kudos

Sani_B
Level 6
Partner Accredited

‎06-16-2015 10:11 PM

Hi Sebastian, sorry for the late reply.

I wasn't restoring item using the account of VSA but a regular test user account. The restore would not work if the VSA was not given permissions that showed all the way in the archive side permissions too. After the VSA was given manually the full permissions in exchange side, those got inherited to the archive as well (this does not happen while running the permission script that's supposed to be used when installing and configuring things) and after that the test user was able to perform the restoration from OWA... So that's confusing/the problem as it does not say anywhere that the VSA should have permissions to the users archive as well but without it the OWA restoration does not work...

 

Sani B.

0 Kudos

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

‎06-17-2015 09:49 AM

hey sani, i still think that what you saw originally was the expected behavior based on my experience with the product. was there anything else you needed help with at this point?

0 Kudos

Sani_B
Level 6
Partner Accredited

‎06-17-2015 09:52 PM

Hey Andrew,

Well there's still the problem that if the expected behaviour is not to grant the permissions to the VSA to users archives - How is the restore from owa supposed to work without the permission?

Sani B.

0 Kudos

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

‎06-18-2015 10:04 AM

can you clarify what you mean by "the restore from owa" ?

0 Kudos

Sani_B
Level 6
Partner Accredited

‎06-22-2015 10:30 PM

I mean the very function that restores the item from shotrcut to being the original item again in outlook/owa.

Using the Office mail app for EV tools it can be done from the shortcut (not while the mail is fully opened as the guide books says).

 

0 Kudos

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

‎06-23-2015 09:23 AM

the restore is done by whichever ev-enabled user is logged in to owa / oma

0 Kudos

Sani_B
Level 6
Partner Accredited

‎06-23-2015 11:43 PM

And that's what I'm telling you - it doesn't work if the EV admin account doesn't have permissions to the users archive - That's the weird thing in this whole problem to begin with! I have no idea why the VSA would need to have access to the users archive in order the user to be able to restore from owa from the users own account but that's how it looks to be working. If I take the permission off - it doesn't work, if I add it back it works again...

0 Kudos