Video Screencast Help

How to remove EV permission

Created: 29 Jul 2013 | 6 comments

Getting below error while removing user from another user EV account

Operating Systems:

Comments 6 CommentsJump to latest comment

Rob.Wilcox's picture

What version of EV is this?

Is the user you're trying to remove the vault service account?

Typically automatically set permissions come from:

- The Vault Service Account via it being set as the account on the properties of the directory


- Permissions being given in Exchange/Outlook, and the policy setting selected to enable inherited permissions

Advisor's picture

It looks like the Account SID cant be resolved with the user name. IT could be due to DC/GC communication issue or user might have deleted in AD. Auto set permissions cannot be removed from VAC >> Archive properties >> Permissions section. You can only modify or remove manually set permissions. You can try using EVPM here. I hope the account which you are trying to remove is not the VSA or owner user account.

This can be achieved by creating an EVPM script, specifying the particular details and running it against the affected archive(s).





ArchiveName=Mary Jones



   a. Modify the script above to match the particular DirectoryComputerName, SiteName and ArchiveName. 

   b. Edit the file in Notepad and save in UNICODE format, with an .ini extension. 

   c. After zapping the archive, to show the change to the archive in the Vault Admin Console (VAC), you must right click the container (IE.. Exchange Mailbox) and refresh it.

   d. To bring all Exchange inherited permissions the mailbox must be synchronized

Note: The [ArchivePermissions] section, introduced in Enterprise Vault 4.1, replaces the earlier [VaultPermissions] section. Existing scripts containing a [VaultPermissions] section will still work, but you are recommended to use [ArchivePermissions] in all new scripts.

Note: The "VaultName" or "ArchiveName" must be one of the following:

  • The name of an archive
  • An archive ID
  • ALL (permissions are applied to all journal, shared, and mailbox archives in the specified vault site)
  • ALL_JOURNAL (permissions are applied to all journal archives)
  • ALL_SHARED (permissions are applied to all shared archives)
  • ALL_MAILBOX (permissions are applied to all mailbox archives)

Run EVPM from \Program Files\Enterprise Vault as the Enterprise Vault Service Account. The syntax for EVPM follows:

EVPM [-?] [-e Exchange Server computer name ] [-m service mailbox] [-f Initialization file location and name]




Prints usage to screen


The Exchange Server computer name


The initialization file location and name


The name of the Enterprise Vault service mailbox

Note: If running EVPM without any parameters, it will prompt for each one.

Pradeep_Papnai's picture

Agreed with Adviser, this problem comes when EV unable to resolve SID from GC. Most probably the user a/c is deleted from AD.

You cannot remove automatically assigned permission from VAC and you need to zap the permission from creating EVPM script as directed by Adviser.

Below is one more thread which was discussed on automatically assigned permission.

EV_Ajay's picture

Hi ,

  • Steps need to carry out on Enterprise Vault Server : -
  1. Log on to Enterprise Vault Server using EV Service Account.
  2. Apply the TechNote : How to remove all permissions from an archive using Enterprise Vault Policy Manager (EVPM) -
  3. If the steps mentioned in the TechNote didn’t help then try to remove the permission using following SQL Query.
  4. Take Backup of the “EnterpriseVaultdirectory” Database from SQL Server, if anything goes wrong.
  5. Run the Following SQL Query :

          Use EnterpriseVaultdirectory

         Update ArchiveView

         Set AutoSecurityDesc = null where ArchiveName = 'ArchiveName'

  1. In above Example SQL Query Look Like :

         Use EnterpriseVaultdirectory

         Update ArchiveView

         Set AutoSecurityDesc = null where ArchiveName = 'ArchiveName'

  1. Refresh the Vault Admin Console and check the Permission Tab of the User Archive , everything will be blank.



EV_Ajay's picture


You can also check and see on the archive permissions that are set are automatic set or not. If they are and those are the wrong permissions then do the following:

Check the registry HKEY_LOCAL_MACHINE\Software\wow6432node\KVS\Enterprise Vault\Agents and see if we have a registry key named 'IncludeInheritedRights ' in that location.

The possible values for IncludeInheritedRights are:

  • 0 to exclude inherited permissions
  • 1 to include inherited permissions