Forum Discussion

kylehancock's avatar
10 years ago

Enterprise Vault mailboxes have "Automatically set" permissions

Hi everyone,

Question for the group. This could be something I'm missing easily, but wanted some clear guidance on dealing with the issue.

So I've got users who have access to everyone's vault. When I attempt to remove their access, I am told they cannot be removed as they have "automatically set" permissions associated with it. Now I've read that I can "zap" the permissions. What I want to do is make it so everyone has access to their own vaults and no one elses. I found the EVPM.exe and a folder called EVPMScripts that has a file called GrantVSAAccess.ini in it.

[Directory]

DirectoryComputerName=Server Name
Site Name= Site

[ArchivePermissions]

ArchiveName = ALL
GrantAccess = delete read write,Service Account

I'm assuming this is where I need to go access the permissions so not everyone and their mother access to everyone's vaults. Do I need to make a new  ini file and run that? How exactly do I zap these permissions and reset everyone to just have their own?

Thanks everyone!

  • You'll need to use the Exchange Management Console (ECM) and remove the permissions from the associated mailboxes.  EV automatically assigns the permissions that are on the mailbox.  Inherited permissions being uncheck only prevents container level permissions from being set on the archive, but any addiitonal permissions set directly on the mailbox will automatically be assigned.

  • if a permission is automatically set it means that it was inherited from Exchange so the next time sync runs, it'll be applied again.

  • Tony,

    Microsoft took away the "Mailbox Rights" on Active Directory on Exchange 2010, so I have no way of doing the first set of steps in this article. I did try the second part, and inherited permissions are already set to OFF.

    Any other ideas?

  • What do you have set for Synchronize folder permissions?

    Synchronize folder permissions (Exchange Archiving General setting)
    Description
     Controls whether synchronization of delegate and shared folder permissions within mailboxes are synchronized. If these are not synchronized, only mailbox owners have access to the corresponding archives. For example, this prevents delegates, from having access to mailbox archives.
     
    Supported values
     Off. Folder permissions are not synchronized.

    On (default). Folder permissions are synchronized.
     

     

  • The tasks for my mailbox server have the "Mailbox Properties and Permissions" checked. I unchecked the "Mailbox Properties and Permissions" and synced it against my own account. The sync completed, but I am still showing users who have permissions against me and I can't remove them without still getting the same error.

  • You'll need to use the Exchange Management Console (ECM) and remove the permissions from the associated mailboxes.  EV automatically assigns the permissions that are on the mailbox.  Inherited permissions being uncheck only prevents container level permissions from being set on the archive, but any addiitonal permissions set directly on the mailbox will automatically be assigned.