Removing Automatically Set Permissions on vaults where owner AD/Mailbox no longer exists
I've read through quite a few of the very helpful posts here, but seem to have reached an impasse.
First off...I've inherited an EV setup that has gone through many upgrades (from version 4 I'm lead to believe) to have helped with upgrading to our current version - EV7.5 SP2.
Historically the inherited permission, I think, were synchronized. This lead to many of our vault users having access to other peoples vaults, via search or archive explorer. Cleared up all the live ones I can by changing the inherited permissions sync and removing unwanted mailbox access etc..
But some of our leaver vaults are going to cause me a lot of work!
There are a hundred or so of these to get through so ideally the simpler the fix the better :)
Historically leaver accounts did not follow the proper procedure for leavers...and the original mailboxes/AD accounts no longer exist.
So I'm left with leaver accounts that have 10 or more SID's and about the same number of live users with 'automatically set' permissions ...so the leaver accounts appear in the live users Archive explorer lists etc..and trying to delete the permissions produces the 'cannot remove' message.
So far I have
a) set the billing account on the leaver account to a generic account
b) confirmed I can add/remove accounts manually (works)
c) Confirmed the include inherited permissions registry key is not in place
d) tried to zap the permissions using this evpm script:-
DirectoryComputerName = ourservername
Sitename = thissiterighthere
ArchiveName = theLeaver_archiveID found on the 'advanced' tab of the archive
Zap = true
e) the Evpm above ran with no errors displayed...refreshed the console and even restarted the services to see if the permissions would show as removed....nothing, all remain.
Now I don't feel I have to worry about the SID references, as even if they have permissions they are not active accounts and really aren't going to cause me any distress, other than I'd just not like them to appear in the permission list :)
But all the other accounts?
As they aren't being Zapped is my only option to Evpm and identify each account assigned to each vault and to then deny?
that's painful just saying it!
(tested Evpm to deny one account, same script as above but with denyaccess instead of zap, and that worked...just nothing using zap)
Any suggestions (slap me if I'm missing something) - would be most appreciated.