HOWTO: Remove inherited permissions from Symantec Enterprise Vault Archive

First let me say that I take back everything nice I ever said about Enterprise Vault.  It’s a Symantec product and that heritage shines through.

I was tasked with removing two permissions from an EV archive for  let’s call him “A User”.  Simple, right?  Ha!

I connected to our EV Server and opened the Admin Console.  I browsed to Archives, found A Users account, double clicked on it and went to permissions.  I find a SID and along with two additional users that I’d like to remove.  I select each of them and press remove. It tells me it can’t because “the permissions are automatically set“.

image

After a bunch of research, it appears that these two people had permissions assigned directly to A User’s Active Directory account that were synchronized with EV at one point.  The official fix appears to be to remove these permissions from the users Active Directory and then re-sync.  Unfortunately, A User’s AD account has already been deleted so this wasn’t possible.  After much more research, I finally figured out how to do this.  I have to zap (yes zap) the mailbox using the following convoluted process:

–    Open notepad and add some several line items
–    Save the file as UNICODE (as nothing else will work) and with an extension of .ini
–    Run the command line tool called EVPM (Enterprise vault Policy Manager), pass several other pieces of information along with the path to the file you created above
–    This will clear all of the permissions.  You can then go back into the account and add whomever you want to manually

Now to the specifics:

–    My INI file was called username.ini (as all the help files I read suggested you create one for each zap you want to perform
–    The file looks like this:

[Directory]
DirectoryComputerName=[EV servername]
SiteName=[EV Server Site]
[ArchivePermissions]
ArchiveName=1ECBCB7DA1EE8BC469E9595EA38C2EAB61110000[domain name]
Zap=True

You’ll note the Archive name.  All of the documentation I read said that you can simply provide the friendly archive name (“ie A User”) but if you do that, it’ll return an error “Error creating privileged MAPI session” as in:

image

So what you need to do is go into the properties of the archive under Advanced and copy the Archive ID listed

image

–    Next you need to provide the system mailbox name.  This can be found under Enterprise Vault Servers / Tasks / the task archive sequence properties / Settings

image

–    You also have to provide the matching system mailbox to the server you specify

With all of this information, do the following:

–    On your EV Server, open an administrator command prompt and browse to E:\Program Files (x86)\Enterprise Vault
–    Run the command evpm.exe –e
–    For the Server name, provide your exchange mailbox server
–    For the service mailbox alias, provide your exchange mailbox server
–    For the location of your ini file, provide the full path including quotes.

image

If all goes well, you should see the results below:

image

–    Now go back into the EV Console and refresh the archives.  (Otherwise the old settings will still display).  View the security tab on your object again and it should be cleared.

–    Add the users back you want to have access

That should be it.  You should end up with something like this:

image

That’s how to delete a user permission from Enterprise Vault.

1 comment

  1. I have noticed you don’t monetize your website, don’t waste your traffic, you can earn extra bucks every
    month because you’ve got high quality content. If you want to know how to make extra money, search for:
    Boorfe’s tips best adsense alternative

Leave a Reply

Your email address will not be published.