Problem
Consider the following scenario.
User A has permissions to User B archive.
A) User A opens the Enterprise Vault Search (EVS) page (http://evserver/EnterpriseVault/Search/Shell.aspx)
B) Selects User B's archive from the drop down menu and selects a few messages to be restored to User B's Exchange Mailbox.
The restore may show a "failed" state and Event ID 3424 will be logged as seen below.
Error Message
Event ID: 3424
The User 'ABCD\sa-evadmin' attempted to restore an item into mailbox 'TestUserDC1'. The request has failed because the user does not have full mailbox access or administrator rights to this mailbox.
A Dtrace during the restore attempt shows:
3380] (RetrievalTask) <4480> EV:L CBaseDirectoryServiceWrapper::CreateDirectoryService() - Successfully communicated with an EV Directory Service on the local machine
1008 13:45:54.808 [3380] (RetrievalTask) <4480> EV:L CBaseDirectoryServiceWrapper::CreateDirectoryService() - Entry [m_nNumTries = 40]
1009 13:45:54.808 [3380] (RetrievalTask) <4480> EV:L CBaseDirectoryServiceWrapper::CreateDirectoryService() - Successfully communicated with an EV Directory Service on the local machine
1010 13:45:54.839 [3380] (RetrievalTask) <4480> EV~W Event ID: 3424 The User 'ABCD\sa-evadmin' attempted to restore an item into mailbox 'TestUserDC1'. The request has failed because the user does not have full mailbox access or administrator rights to this mailbox. | |Item being restored: |SavesetID: 201205096573616~201205091340220000~Z~90E3BD64B6E99AAFD708BFBD7F1FD941 |Archive Name: EVTESTArchive |Task: Exchange Mailbox Archiving Task for PLLVVSEXCH03(Retrieval) |
1011 13:45:54.839 [3380] (RetrievalTask) <4480> EV:L {CQueue::~CQueue} (Entry)
1012 13:45:54.839 [3380] (RetrievalTask) <4480> EV:L {CQueue::~CQueue} (Exit)
1013 13:45:54.839 [3380] (RetrievalTask) <4480> EV:M {CRestorationAgent::SavesetAvailable:#854} Finished restoring message into an Exchange message store: [0x0]
V-437-3424
Cause
The Vault Service Account is being used.
Or
User A does not have the proper Exchange Mailbox permissions to User B
Or
User A has full mailbox rights to User B via group membership.
Solution
Note : Security was tightened in EV 8.0 SP3, such that the vault service account is no longer able to restore items to anyone's mailbox. This is because the VSA's ability to restore items to other user's mailboxes has been removed within the EV code. This is by design.
User A requires explicit full access mailbox rights to User B in order to run a restore of messages to the mailbox using Enterprise Vault restore methods.
It is recommended that a new user be created for the purpose of performing alternate mailbox restorations. This will allow an organization to use one specific account that can be set up in advance, rather than apply permissions to many user accounts, over time. This user, which will be referred to as the "Restoring User", must have explicit full access permissions to the destination mailbox and permissions to the archive from which the item is being restored.
Applies To
EV 10.x, 11.x, 12.x
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.