Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Unable to remove permission from archive

Created: 18 Oct 2013 • Updated: 29 Dec 2013 | 4 comments
This issue has been solved. See solution.

I have a permission that I can't get rid of.

At one time I granted User B full access to User A mailbox in Exchange 2010. Months later, User B has had all access to User A mailbox removed.

Both mailboxes and user accounts in AD are fully active.

User B permission to User A archive never went away. I have tried zapping and re-syncing the archive with no success. The permission keeps reappearing.

How can I remove this permission?

Any ideas?

Thanks,

Chris

Operating Systems:

Comments 4 CommentsJump to latest comment

TonySterling's picture

Are you zapping the archive or the mailbox?

If you zap the archive and the permissions come back after the synch then there is still something set for them.

[ArchivePermissions]

If you can't sort it out you could set the manual deny on the archive for them.  That Deny will override the automatically set permissions.

SOLUTION
JesusWept3's picture

Would suggest doing a permissions zap like Tony was suggesting and then DTrace AgentClientBroker and then manually sync the archive with folder hierarchy and permissions checked

Because by the sounds of it, even if you zap the permissions, they will probably come back, which would suggest that they have been given delegate permission from within Outlook OR you could have a noninherited owner set through exchange

Pradeep_Papnai's picture

Ran following query on exchange powershell (user B had permssion on user A mailbox).

Get-MailboxPermission -Identity mailboxA@domain.local -user "mailboxB" |format-list

If this is returning the permission then you need to remove this permission.

Remove-MailboxPermission -Identity mailboxA@Domain.local -User "MailboxB" -AccessRights fullaccess -InheritanceType All

Then run EVPM script as mentioned in tech note http://www.symantec.com/docs/TECH44818 like example.

[Directory]
DirectoryComputerName=kvsvault
SiteName=archivesite

 

[ArchivePermissions]
ArchiveName=ArchiveName
Zap=True

Once it run successfully then refresh VAC and archives. Also check following EV-Mailbox policy,

Select appropriate mailbox policy \ Advanced \ Archiving General.
Inherited permission = OFF.
Synchronize foler permission = off.

If the permission are coming then zap it again with above script and start dtrace on 'agentclientbroker' process and synch the mailbox from the properties of archive.

Hope this helps.

Chris.Rourk's picture

Thank you all for your input.

I will try the suggestions and post back.

Thanks again,

Chris