Enterprise Vault in Archive Explorer some users can see other users archived items

Hi Andy,

When users can see more archives than their own in Archive Explorer, than this means that they also have access on the Exchange mailboxes of those users.

Security from Exchange mailboxes is synchronized towards the EV archives.

So, the 'issue' you report is in fact standard behaviour. If the specific users may not see the archives of the other users, you have to check the mailbox security on the involved Exchange mailboxes.

greetz,

Rudy

Hi,

sorry for the late reply.

I checked a user that has 2 archive explorer mailboxes in view and he did have access rights to that particular users mailbox.  I have removed the access rights and have left this for a few days and he is still able to view that users archive explorer?

With the handful of other users they do not currently have any access rights to the mailboxes of the people they can view within their archive explorer.  Further investigation has proven that at some point they used to have access rights but do not anymore.  

So my question is how can eliminate the security access rights picked up by enterprise vault when they no longer have the access rights on exchange?  

Thanks,

Andy

Hi awb123,

Can you check the particular user's archive in Admin console and see if the user(the one who can see two archives in Archive Explorer) is not granted permission on the archive ?

You can also use Permission Browser which is located in Enterprise Vault Install folder on the EV server to check permissions.

Alternative to this is denying permission on the user's archive - synchronizing mailbox and try opening Archive explorer. If you can still see the archive in archive explorer right click on righ pane in AE and refresh

Have you tried to just refresh the view on the left pane where they see the other users archive?

I have exactly the same problem.  I had to give myslef permissions to a number of Exchange mailboxes some time ago and all their vaults popped up within my AE as expected.  I then removed all my permissions to their mailboxes but their vaults are still visible within AE.  I don't have any permissions to their mailboxes within Exchange and the admin console and Permissions Explorer within EV don't show my account listed but their vaults still show up.  I have run numerous resyncs but I can't get rid of the vaults. 

Hello,

Make sure that when you sync, you select to sync the Folder hierarchy and permissions too! This will reset the permissions on the archive.

Then, when the sync is done, have the user seeing the additional vaults close Outlook, wait a minute, than restart Outlook. Check.

When the user still sees additional archives, close Outlook, run the evresetclient, start Outlook, check again.

Make sure that the sync has run to completion.

GJ

I have run the sync with the Folder permissions set but they are still there.  Where do I find the EVResetclient tool?

Sorry - found the tool.  Closed Outlook, ran the tool successfully, restarted Outlook.  All the vaults are still there.

Any other ideas?

HI Phenian,

I am pretty sure the syncing should fix the issue. I recall having to wait a while for the actual shared vault 'disappeared', but it does happen. I'll see if I can retrieve my notes for that issue to see what I did.

GJ

Any further ideas - I still have about 20 mailboxes which I don't have access to but appear as vaults in my list/  I also now have a whole load of garbage when i click on search vaults starting with "Results Sorting Please wait" and scrolling down to "Find Now"  There is over a page of this with loads of buttons whcih dont do anything and my actual search button is over a page away - any ideas on that one?

Hi

Any further ideas anyone - Still having extra mailboxes appearing under archive explorer, despite having NO permission. I have sync the permission and waited and made sure there is no permission set in AD and in exchange etc. I should not be able to see other users mailbox in my archive explorer.

It seems I am havign the same issue as AWB123. Please post if you have any fix/ideas. Thanks.

Shahss

There has to be permission coming from somewhere as we do not make up permissions so if you are confident that there is nothing from an AD perspective then these users could have switched on outlook delegation by maybe switching on access at that level.

The easiest thing to do to confirm all access on the archive is to use the permissionbrowser.exe tool that you can find in the enterprise vault directory.

This is a GUI based tool and you can select the archive that you can see in your AE list and check out all of the ACL's etc that are on that archive.

From there you will understand what has happened.

found it very useful. have just used it and would see the result once sync runs.

is it worth 'zapping' permissions on the archive and then can at least determine if the permissions are still being synched from somewhere or if they have just been hard set somewhere.

If after 'zapping', you can no longer see them, then it was something left over from a change in the past, if the vaults re-appear then it has synched it from somewhere.

Looking into the same thing in the past, I think the following places are where the permissions are taken from:

-Outlook Mailbox permissions
-Outlook Delegates
-EV permissions applied directly from the VAC
-Exchange Mailbox Rights (if you look at the properties of the account in ADUC, click on the 'Exchange Advanced' tab, then 'Mailbox Rights'
-Sometimes permissions on the AD account (if you look at the properties of the account, 'Security' tab)
 

Would be interested in the resolution to this as we have a situation where all members of admin groups (enterprise admins, domain admins etc) have access to a user's vault visible via AE. - ther permissions for this user's AD account or Archive does not appear to be any different to other users.

observation is still on - seeing good results.

observation is still on - seeing good results.

what do you mean?

i removed inherited permissions from AD after going through the utility permissionbrowser and synced the mailboxes and found permission related alerts and warnings disappeared and also users who use to see other mailbox archives stopped.

All products installed and activated are getting updated within the Symantec Endpoint Proctection; except the Virus Definitions for the Win32.11.
We are running on windows 2003  platform.

thanks.........................

Here is a TN that gives a brief overview of Permissions Browser - http://support.veritas.com/docs/295166. The utility is also highlighted in the Admin guides.

Hello again,

I recently had this issue happening again. What happens is that if the default permissions set on a mailbox in AD (open user whose vault you do see), Mailbox Rights and Security. have also been set by hand to the same accounts, you will see the archive.

Removing the hand-set permissions, syncing the mailbox you see in your AE will resolve the issue.

When you get a report from user A he sees User B's archive:
1 - verify the user A has not been granted permissions by user B (directly in Outlook)
2 - verify that mailbox-rights on the User B account in AD are 'inherited'. IF there are any accounts/groups hand-added, verify user A is not one (or in one) of them. If needed, remove all hand-added accounts, sync the mailbox.

This should resolve the issue. Use the permissionbrowser as mentioned above to determine if anything has been missed.

Gertjan.

PS> If this (or one of the above) resolves the issue, could you close it, and choose a solution?

Hi AWB123,

PLease verify the seetings in IIS of your EV server.

In directory services there should be remove integrated windows login for EV site.

It will help

Reply back please any issue

Regards

KK

Hi, kkate, not sure where you are coming from here, but taking IWA off IIS (I think this is what you are suggesting) - is a bad idea, as security will be changed to basic and will not only pop-up login credentials for the user, but probably won't work.

John