cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

synchronize folder permissions

Go to solution
SutterKane
Level 4

‎02-23-2012 07:11 AM

Hello all.

We are using EV.9.0.2 for archiving MS Exchange mailboxes (2203/2007/2010).

 

Some users delegete rights to one ore more folder directly out of their Outlook client. So as example they give rights to folder

"\Job" under "\Inbox" but not for "\Private".

\Inbox
  \Job
  \Private

If the folder \Job is being archived now, the user have no access to any of the items in the archive.

While solving this via Active Directory and giving users access to the mailbox, ALL folders of the mailbox can be seen.

So in the example above \Inbox as well as \Private and \Job can be seen by the delegated user.

Checking our MS Exchange archiving policy, I found the point "Inherited permissions" (under "Advanced). This is currently set to "Off".

Before enabling this, I would like to ask some questions:

 

- Is this point just inheriting access rights to sepearte folders as decsribed above ?

- Is the enabling of this feature having an impact of the EV-servers performance ?

- Can we remove the AD permissions for the mailboxes afterwards and are the access rights still there for the delegated folders only ?

- Are items in this folder already being archived then visible to delegated users or is this just for newly archived items only ?

 

Thanks for your support.

 

SK

 

 


 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

‎02-23-2012 07:29 AM

What do you have set for the following?

Synchronize folder permissions (Exchange Archiving General setting)



Description

Controls whether synchronization of delegate and shared folder permissions within mailboxes are synchronized. If these are not synchronized, only mailbox owners have access to the corresponding archives. For example, this prevents delegates, from having access to mailbox archives.

Supported values

  • Off. Folder permissions are not synchronized.

  • On (default). Folder permissions are synchronized.

Legacy name

SynchronizeFolderPermissions

See Exchange mailbox policy advanced settings

Article URL http://www.symantec.com/docs/HOWTO37219

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified

‎02-23-2012 07:29 AM

What do you have set for the following?

Synchronize folder permissions (Exchange Archiving General setting)



Description

Controls whether synchronization of delegate and shared folder permissions within mailboxes are synchronized. If these are not synchronized, only mailbox owners have access to the corresponding archives. For example, this prevents delegates, from having access to mailbox archives.

Supported values

  • Off. Folder permissions are not synchronized.

  • On (default). Folder permissions are synchronized.

Legacy name

SynchronizeFolderPermissions

See Exchange mailbox policy advanced settings

Article URL http://www.symantec.com/docs/HOWTO37219

0 Kudos

Go to solution
JesusWept3
Level 6
Partner Accredited Certified

‎02-23-2012 07:33 AM

EDIT: Pipped to the post by quite a margin by Tony .... what he said :)

All you need is folder based permissions, because heres the thing

If you have something like the following

\Inbox
\Inbox\Subfolder1
\Inbox\Subfolder1\Subfolder2


User A is the owner and grants User B access to \SubFolder2
When Enterprise Vault Synchronizes the permissions they will be given access to SubFolder2 *only* just like in outlook, if the user wants to see the users folder in Outlook, they can't connect to the mailbox, but instead have to go to Open -> Other users mailbox or folder and then they will see the items.

Once they see the items, and they see the users shortcuts, they can double click the shortcuts and they will open. However if the user goes to Archive Explorer they will not see the users Archive because they don't have permission at the very root of the archive, and thus cannot see \inbox or any of the subfolders

This is by design and pretty much the way its always been.
If the user then delegates access at the top of the information store maybe giving them reader access  and such, then after a permissions sync or archiving run etc that user will then be seen in archive explorer

Inherited Permissions is off by default and thats a good thing, because typically when you look at a mailbox and who has access to it, you'll see Backup Admins, Domain Admins and all sorts, meaning that if i'm in the Backup Admin group and then i Open AE, i suddenly see every single users archive. because the inherited permissions says i am allowed access etc

The real one you want to be concerned with if the Folder Permissions on/off in the advanced section of the policy, if thats off then it doesnt matter who delegates what, it just wont be taken across

 

https://www.linkedin.com/in/alex-allen-turl-07370146
0 Kudos