Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

How to remove EV permission

Created: 29 Jul 2013 | 6 comments

Getting below error while removing user from another user EV account

 

 

Operating Systems:

Comments 6 CommentsJump to latest comment

Rob.Wilcox's picture

What version of EV is this?

Is the user you're trying to remove the vault service account?

 

Typically automatically set permissions come from:

- The Vault Service Account via it being set as the account on the properties of the directory

or

- Permissions being given in Exchange/Outlook, and the policy setting selected to enable inherited permissions

Advisor's picture

It looks like the Account SID cant be resolved with the user name. IT could be due to DC/GC communication issue or user might have deleted in AD. Auto set permissions cannot be removed from VAC >> Archive properties >> Permissions section. You can only modify or remove manually set permissions. You can try using EVPM here. I hope the account which you are trying to remove is not the VSA or owner user account.

This can be achieved by creating an EVPM script, specifying the particular details and running it against the affected archive(s).

 

[Directory]

DirectoryComputerName=kvsvault

SiteName=archivesite

 

[ArchivePermissions]

ArchiveName=Mary Jones

Zap=True

 

Notes:

   a. Modify the script above to match the particular DirectoryComputerName, SiteName and ArchiveName. 

   b. Edit the file in Notepad and save in UNICODE format, with an .ini extension. 

   c. After zapping the archive, to show the change to the archive in the Vault Admin Console (VAC), you must right click the container (IE.. Exchange Mailbox) and refresh it.

   d. To bring all Exchange inherited permissions the mailbox must be synchronized

 

Note: The [ArchivePermissions] section, introduced in Enterprise Vault 4.1, replaces the earlier [VaultPermissions] section. Existing scripts containing a [VaultPermissions] section will still work, but you are recommended to use [ArchivePermissions] in all new scripts.

 

Note: The "VaultName" or "ArchiveName" must be one of the following:

 

  • The name of an archive
  • An archive ID
  • ALL (permissions are applied to all journal, shared, and mailbox archives in the specified vault site)
  • ALL_JOURNAL (permissions are applied to all journal archives)
  • ALL_SHARED (permissions are applied to all shared archives)
  • ALL_MAILBOX (permissions are applied to all mailbox archives)

 

Run EVPM from \Program Files\Enterprise Vault as the Enterprise Vault Service Account. The syntax for EVPM follows:

 

EVPM [-?] [-e Exchange Server computer name ] [-m service mailbox] [-f Initialization file location and name]

 

 

Parameter

Meaning

-?

Prints usage to screen

-e

The Exchange Server computer name

-f

The initialization file location and name

-m

The name of the Enterprise Vault service mailbox

 

 

Note: If running EVPM without any parameters, it will prompt for each one.

Pradeep_Papnai's picture

Agreed with Adviser, this problem comes when EV unable to resolve SID from GC. Most probably the user a/c is deleted from AD.

You cannot remove automatically assigned permission from VAC and you need to zap the permission from creating EVPM script as directed by Adviser.

http://www.symantec.com/docs/TECH44818

Below is one more thread which was discussed on automatically assigned permission.

http://www.symantec.com/connect/forums/how-do-i-re...

 

EV_Ajay's picture

Hi ,

  • Steps need to carry out on Enterprise Vault Server : -

 

  1. Log on to Enterprise Vault Server using EV Service Account.
  2. Apply the TechNote : How to remove all permissions from an archive using Enterprise Vault Policy Manager (EVPM) - http://www.symantec.com/docs/TECH44818.
  3. If the steps mentioned in the TechNote didn’t help then try to remove the permission using following SQL Query.
  4. Take Backup of the “EnterpriseVaultdirectory” Database from SQL Server, if anything goes wrong.
  5. Run the Following SQL Query :

          Use EnterpriseVaultdirectory

         Update ArchiveView

         Set AutoSecurityDesc = null where ArchiveName = 'ArchiveName'

  1. In above Example SQL Query Look Like :

         Use EnterpriseVaultdirectory

         Update ArchiveView

         Set AutoSecurityDesc = null where ArchiveName = 'ArchiveName'

  1. Refresh the Vault Admin Console and check the Permission Tab of the User Archive , everything will be blank.

 

Thanks,

Ajay

EV_Ajay's picture

Hi,

You can also check and see on the archive permissions that are set are automatic set or not. If they are and those are the wrong permissions then do the following:

Check the registry HKEY_LOCAL_MACHINE\Software\wow6432node\KVS\Enterprise Vault\Agents and see if we have a registry key named 'IncludeInheritedRights ' in that location.
 

The possible values for IncludeInheritedRights are:

  • 0 to exclude inherited permissions
  • 1 to include inherited permissions

Thanks,

Ajay