Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Unable to fetch item, ID 6287 for multiple users

Created: 20 Mar 2013 • Updated: 05 May 2013 | 5 comments
This issue has been solved. See solution.

Environment: EV 10.0.3 on 2 servers, SQL 2008 R2, Exchange 2010 SP2

I'm noticing a large number of errors (~600 across both servers) very similar to this appearing in my event log since upgrading to SP3. (and just 3 entries on one server before that, my logs go back to Christmas 2012).

Unable to fetch item from "EVServer". 
Reason: Access denied      (0xc0041801) 
Saveset Id: 201211072284336~201208070843480000~Z~70084ACABE46918BE3CE9751F9AB4751 
Archive Name: Bloggs, Joe
Archive Folder Path: Rowena emailsVideos & podcasts060812 IEM video & podcast 
Reference: [GOAFS] 

Coupled with my recent post about permissions not being applied at all to imported PSTs for one user, I can't help but wonder if this is an issue introduced in SP3? We upgraded from 10.0.1.

I found the following TN which mirrors exactly the issue:

http://www.symantec.com/business/support/index?pag...

..but as we do not run public folder archiving, there's no tasks to restart. 

The latest person to report a problem is saying she cannot access anything in her vault, and if she opens archive explorer in Outlook, her archive does not appear at all. I've not yet been able to get hold of her to verify 100% what I've been told from my support engineer, but I've got no reason to disbelieve him after seeing 10s of entries in the log saying "Access denied". Using PermissionsBrowser.exe, the permissions /look/ ok. Sample:

Header: 
      AceType: ACCESS_ALLOWED_ACE_TYPE
      AceFlags: 
    Mask: 0x7F
      DV_DS_CONTROL_FOLDER
      DV_DS_DELETE_FOLDER
      DV_DS_ADD_FOLDER
      DV_DS_READ_FOLDER
      DV_DS_DELETE_ITEM
      DV_DS_ADD_ITEM
      DV_DS_READ_ITEM
    Sid:
      SID: S-1-5-21-243037206-41955558-561332275-301338
      Name: Username
      DomainName: MyDomain
 

So, is there a general issue with 10.0.3 and permissions? When I do get hold of the customer, I'll manually add the permissions to see if it resolves the problem. But as I stated in my other thread, it's not a great solution!

Cheers for any advice, as always.

Operating Systems:

Comments 5 CommentsJump to latest comment

rasobey's picture

Again, resolved for one user by manually adding permissions in the EV console. I shouldn't be having to do this.

I'd already tried using EVPM to strip out the permissions and re-add them, as per this article:

http://www.symantec.com/business/support/index?pag...

What's the problem?

JesusWept3's picture

You know, i actually had this same issue in my lab environment. I think it was due to inherited permissions being set on the policy (not delegate permissions but inherited permissions)

rasobey's picture

Is there anything I can do except add manual permissions? I mean, if there's a workaround, fantastic, but the root cause needs to be identified I think. Going forward, I need to know my environment is ok.

Thanks btw!

JesusWept3's picture

Well first questions first, do you have inherited permissions enabled?
I think it was something like i was added in the domain as a group that didn't have permissions on the archive and for whatever reason it was overtaking my owner permissions, i think....

Honestly i didn't spend too much time troubleshooting it

I think you might need to open a support case, get a dtrace of w3wp, agentclientbroker and AuthServer as well as the permissions browser output and see what they say

SOLUTION
rasobey's picture

I think we have inherited permission. Certainly the mailbox owner is automatically added to the archive permissions and I cannot remove it.

Cheers.