Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

EV10 event 4216 Access denied. User is not in a role that allows 'Can manage Enterprise Vault Exchange Mailbox tasks'

Created: 07 Jan 2014 • Updated: 14 Jan 2014 | 6 comments
GertjanA's picture
This issue has been solved. See solution.

Hello all,

EV10SP4CHF1 - In my testlab, I have configured the SQL roles according to the procedure as described in http://www.symantec.com/docs/HOWTO80670

This seems to work ok.

I have however event 4216 in the eventlog: (every 5 minutes)

Access denied. User is not in a role that allows 'Can manage Enterprise Vault Exchange Mailbox tasks'.
User: 'NT AUTHORITY\SYSTEM'

I've ran a trace on taskcontroller (attached), and noticed:

1704 {CSecurityWrapper::HasServerClientGotPermission:#515} Checking role access for admin operation [4001]...
1705 {CSecurityWrapper::IsServerClientTheVSA:#864} Checking if server client is VSA...
1706 {CSecurityWrapper::IsServerClientTheVSA:#894} Client server is running as VSA: [False] (in a client COM call: [True]).
1707 {CSecurityWrapper::CommonRoleAccessCheck:#920} Checking access for operation [4001]. Impersonating client: [True]...
1708 {CSecurityWrapper::UpdateAzStoreCacheIfNecessary:#1455} Updating if required...
1709 {CSecurityWrapper::CommonRoleAccessCheck:#997} Access [denied]
1710 {CSecurityWrapper::HasServerClientGotPermission:#557} Caller [doesn't have] role [4001]. Permission [denied].
1711 {CSecurityWrapper::GetOperationNameFromID:#656} Getting name of operation [4001]...
1712 {CSecurityWrapper::ServerClientCheckPermissions:#1567} Operation [Can query Enterprise Vault tasks (4001)] has been denied.

This seems to be indicating an issue with the Role, but I am not sure. Can one of the peers check, and comment? As this is a test-lab environment, it is not urgent, but we do want to configure this in the prod environments too. I need to be sure that this is not an issue due to the roles configuration. It does look like EV works fine (archiving, restoring, archive explorer and search work fine).

Thanks in advance,

Gertjan.

Operating Systems:

Comments 6 CommentsJump to latest comment

TonySterling's picture

hey ya,

Did you sort this out?  I was wondering if you EVOM wasn't set up correctly and causing an issue.  Or if you just needed to re-enter the EV VSA password and restart services.

 

Cheers,

 

SOLUTION
GertjanA's picture

Hi Tony,

No time to sort it out unfortunately. I have done the password reset and all. Next step would be to roll-back the role setup in SQL, but I don't have time until a few weeks from now. I'm leaning to 'some' process doing some checking. As this is a lab-envrionment, I am no too worried. The server is a hyper-v server, so it might be that hyper-v does some stuff.

I'll close this, and when I fixed it, I'll report back.

Thank you, Gertjan, MCSE, MCITP,MCTS, SCS, STS
Company: www.t2.nl

www.quadrotech-it.com

www.symantec.com/vision

H.Stjern's picture

Hi, I have the same problem on a customer site.

 

10.0.4 without any CU installed.

I get the message every 5 minutes and have checked so that the VSA account is being used as logon account on both tasks.

 

The tasks it reports in is provisioning and archiving.

This started some time after a fresh installation, so not sure if the customer might have changed something or sent out new GPO's.

Went through the Dcomcfng described in another article and my VSA account is set correctly.

Also checked so that its my VSA account that executes the scheduled tasks.

Archiving is running fine and also the provisioning task, so not really sure what this problem is related to.

Any idea of what this could be?

 

Best Regards

Hans

GertjanA's picture

Hi Hans,

I rebuild EV environment, error gone. I believe you can use dtrace to locate what happens, not sure. Perhaps a support call might help.

Thank you, Gertjan, MCSE, MCITP,MCTS, SCS, STS
Company: www.t2.nl

www.quadrotech-it.com

www.symantec.com/vision

H.Stjern's picture

Hi Gertjan,

Yea, was just curious if there was a simple fix to the problem.

Do you remember if you set up Role Base Admin and added any accounts to different roles in your lab environment?

Since my problem started a few weeks after an install i'm trying to do some checks what could have caused it, and I remember adding users to a few different roles so they can see reports and so the support guys can do PST exports etc.

 

Cheers

Hans

GertjanA's picture

Hello Hans,

No RBA configured in testlab. I'm leaning to some sort of monitoring from hyper-v, or scom I am not aware of. It *might* however interfere, not sure.

As tip:

As this thread was already closed, and you report an issue, it is unlikely for others to reply to this. You are better off creating a new entry on this, and if necessary refer to this entry.

Sorry for not being able to assist. I believe the best option is to open a support call.

 

Thank you, Gertjan, MCSE, MCITP,MCTS, SCS, STS
Company: www.t2.nl

www.quadrotech-it.com

www.symantec.com/vision