Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Need some script or way to extract list of users to each Vaults ?

Created: 20 Oct 2013 • Updated: 22 Oct 2013 | 11 comments
This issue has been solved. See solution.

Hi People,

Can anyone please assist me with the list of users that have access to each of the Vaults in EV ? for both FSA and Email archive components.

Thanks.

Operating Systems:

Comments 11 CommentsJump to latest comment

Pradeep_Papnai's picture

Hi John,

I hope you are looking for script which let us know about permission assigned on each EV archive (exchange or fsa), If yes then I don't think we have any way to get assigned permission information via SQL query /Script file other than permission browser tool (c:\program files \ enterprise vault\permissionbrowser.exe), basically permission saves in cypher text (encrypted or unreadable format) in  SQL directory database, which is difficult to read via script /query.

There is one script created by Rob which is available in following link, but I am not sure if that will work.

http://www.symantec.com/connect/downloads/checking-non-standard-folder-permissions

You may wish to contact your partner for customized script if they developed and also put an idea in enhancement portal for this request.

SOLUTION
John Santana's picture

Hi EV-Counselor, what I need is a list of who got access to which mailbox or Vaults ?

in Exchange server level I can do the FullAccess permission dump using Powershell, but not sure how to do it in EV.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

GabeV's picture

Hi John,

As Ev-Counselor mentioned, the archive permissions are encrypted in the SQL server in binary format. When you look at the properties of an archive, the console reads those permissions and access AD to get the usernames. Unfortunately, a SQL query won't give you the information you are looking for.

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

SOLUTION
John Santana's picture

Ah ok, thanks all for the clarification, I was asked this by the auditor regarding who got the access to the Enterprise Vault data. I guess there is no way to do that.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Pradeep_Papnai's picture

We have permissionBrowser.exe which give permission information on archive/archive folder but nothing like script. 

 

John Santana's picture

Yes please, where can I get that binary ?

I will need to dump that on to Excel spreadsheet.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Pradeep_Papnai's picture

Use EnterpriseVaultDirectory

Select AA.ArchiveName,  RT.VaultEntryId AS ArchiveID, ac.ACEType as PermissionType, TT.SID from Archive AA

Inner join ACE AC

on aa.RootIdentity = ac.RootIdentity

Inner join Trustee TT

ON  TT.TrusteeIdentity = AC.TrusteeIdentity

INNER JOIN Root RT

ON RT.RootIdentity = AA.RootIdentity

 

---Archive those don't have permission would not come in this list. PermissionType '0' mean archive have only Automactic permission, 1 mean only manual permssion via VAC (in case of shared/fileserver/PF), 2 mean it has combination of automatiac/manual permission.

--It will also not give granular information such permission level such read/write/delete or Deny/allow.

--These SID can be taken in excel sheet and You may need to run other powershell/AD script for user/group with associated SID then need to compare (need to do some research in google to findout any easy way to get SID with user/group)

 

John Santana's picture

Cool, that is what I need.

So in this case I must find another way to translate the SID into the DOMAIN\Username format with some other script in excel.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Pradeep_Papnai's picture

Thanks John, Glad to see that our suggestion really helped :) Thanks to Gabe for confirming this behaviour.

 

 

John Santana's picture

yes, many thanks to all for the quick reply !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

GabeV's picture

Glad to help !!

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill