The Enterprise Vault Admin Service or the Enterprise Vault Accelerator Manager Service start attempt throws error indicating some services stop automatically.

Problem

Attempting to start the Enterprise Vault Admin Service on an Enterprise Vault (EV) server or the Enterprise Vault Accelerator Manager Service on a Compliance Accelerator (CA) or Discovery Accelerator (DA) server displays a pop-up error stating some services stop automatically.

Error Message

On an Enterprise Vault server:

1. Pop-up error (See Figure 1 for a screen shot of the pop-up error) -

The Enterprise Vault Admin Service service on Local Computer started and then stopped.  Some services stop automatically if they are not in use by other services or programs.

Figure 1. Screen shot of EV server pop-up error.

2. Symantec Enterprise Vault Event Log entry (See Figure 2 for a screen shot of the event log entry) -

Source:     Enterprise Vault
Event ID:   4283
Task Category:     Admin Service
Level:     Error
Description:
Enterprise Vault Admin Service will be stopped due to failure of the temporary folder security check: temporary folder E:\VSATemp\ does not satisfy security requirements

V-437-4283

3.  Dtrace log entry of the AdminService process with the Vault Service Account's TEMP folder set to 'E:\VSATemp' -

EV:L CPermissionsHelper::IsFolderSecure Entry. Checking folder 'E:\VSATemp\'
EV:L CPermissionsHelper::LoadExceptionssFromRegistry Entry
EV:L CPermissionsHelper::LoadExceptionssFromRegistry Exit
EV:L CPermissionsHelper::IsSidAllowed Entry, sid type : 4
EV:L CPermissionsHelper::IsAllowedAdminSid Entry
EV:L CPermissionsHelper::IsAllowedAdminSid: passed sid is a well known sid, test passed.
EV:L CPermissionsHelper::IsSidAllowed Entry, sid type : 5
EV:L CPermissionsHelper::IsAllowedAdminSid Entry
EV:L CPermissionsHelper::IsAllowedAdminSid: passed sid is a well known sid, test passed.
EV:L CPermissionsHelper::IsSidAllowed Entry, sid type : 5
EV:L CPermissionsHelper::IsAllowedAdminSid Entry
EV:L CPermissionsHelper::IsAllowedAdminSid Exit :passed sid is not a well known admin sid.
EV:L CPermissionsHelper::IsSidAllowed Testing owner sid...
EV:L CPermissionsHelper::IsAllowedAdminSid Entry
EV:L CPermissionsHelper::IsAllowedAdminSid: passed sid is a well known sid, test passed.
EV:L CPermissionsHelper::IsSidAllowed Entry, sid type : 4
EV:L CPermissionsHelper::IsAllowedAdminSid Entry
EV:L CPermissionsHelper::IsAllowedAdminSid: passed sid is a well known sid, test passed.
EV:L CPermissionsHelper::IsSidAllowed Entry, sid type : 5
EV:L CPermissionsHelper::IsAllowedAdminSid Entry
EV:L CPermissionsHelper::IsAllowedAdminSid: passed sid is a well known sid, test passed.
EV:L CPermissionsHelper::IsSidAllowed Entry, sid type : 5
EV:L CPermissionsHelper::IsAllowedAdminSid Entry
EV:L CPermissionsHelper::IsAllowedAdminSid Exit :passed sid is not a well known admin sid.
EV:L CPermissionsHelper::IsSidAllowed Testing owner sid...
EV:L CPermissionsHelper::IsAllowedAdminSid Entry
EV:L CPermissionsHelper::IsAllowedAdminSid: passed sid is a well known sid, test passed.
EV:L CPermissionsHelper::IsSidAllowed Entry, sid type : 4
EV:L CPermissionsHelper::IsAllowedAdminSid Entry
EV:L CPermissionsHelper::IsAllowedAdminSid Exit :passed sid is not a well known admin sid.
EV:L CPermissionsHelper::IsSidAllowed Exit. Username: Users
EV:L CPermissionsHelper::IsFolderSecure SID is not in the approved list, proceeding to registry lookup..
EV:L CPermissionsHelper::IsSidInRegistryList Entry
EV:L CPermissionsHelper::IsSidInRegistryList Exit - BUILTIN\Users
EV:L CPermissionsHelper::IsFolderSecure SID not found in registry, test has failed.
EV:L CPermissionsHelper::IsFolderSecure Exit
EV~E Event ID: 4283 Enterprise Vault Admin Service will be stopped due to failure of the temporary folder security check: temporary folder E:\VSATemp\ does not satisfy security requirements |
EV:H {CServiceModule::IsTemporaryFolderSecure:#2506} Temporary folder check has failed on folder E:\VSATemp\.

On a Compliance Accelerator (CA) or Discovery Accelerator (DA) server:

1. Pop-up error (See Figure 3 for a screen shot of the pop-up error) -

The Enterprise Vault Accelerator Manager Service service on Local Computer started and then stopped.  Some services stop automatically if they are not in use by other services or programs.

Figure 3. Screen shot of EV server pop-up error.

2. Symantec Enterprise Vault Event Log entry (See Figure 4 for a screen shot of the event log entry) -

Source:     Accelerator Manager
Event ID:   585
Task Category:     None
Level:     Error
Description:
APP ATM - The Accelerator Manager service will be stopped because the temporary folder E:\VSATemp\ does not satisfy security requirements.  For guidelines on how to resolve this issue, see the documentation.

3.  Dtrace log entry of the AcceleratorManager process -

EV-L {WINDOWSSECURITY.EN_US} {C.EN_US} Starting folder security check for folder E:\VSATemp
EV-L {WINDOWSSECURITY.EN_US} {C.EN_US} SID is amongst the allowed Admin's SID. Passing the test
EV-L {WINDOWSSECURITY.EN_US} {C.EN_US} SID is amongst the allowed Admin's SID. Passing the test
EV-L {WINDOWSSECURITY.EN_US} {C.EN_US} SID is amongst the allowed Admin's SID. Passing the test
EV-L {WINDOWSSECURITY.EN_US} {C.EN_US} Creater Owner SID is amongst the allowed Admin's SID. Passing the test
EV-L {WINDOWSSECURITY.EN_US} {C.EN_US} End folder security check
EV-H {-} {MANAGER.EN_US} {C.EN_US} Temporary storage area security check failed for folder E:\VSATemp. Accelerator Manager Service will be stopped.
EV-H {-} Exception: Error Manager_TempFolder_SecurityCheck_Failed Info:{ACCELERATOREVENT.EN_US} {C.EN_US} The Accelerator Manager service will be stopped because the temporary folder E:\VSATemp does not satisfy security requirements. For guidelines on how to resolve this issue, see the documentation. Diag: Type:System.Exception ST: Inner:None

Note that the Dtrace of the AcceleratorManager process will have 1 line of "SID is amongst the allowed Admin's SID.  Passing the test" line for each CA or DA customer, including Custodian Manager in DA, for each account that is authorized to access the Vault Service Account's TEMP folder.

Cause

The occasion can arise when the Vault Service Account's TEMP folder must be moved from the operating system drive (i.e., the C:\-Drive) to another drive to allow for more available space when processing export requests through the Vault Admin Console or through CA or DA exports.  By default, creating a new TEMP folder for the Vault Service Account (VSA) on a different drive will cause the new folder to inherit the permissions of the parent folder or the root of the drive.  The default permissions often include the local Users group and can be configured with other local and / or domain accounts.

A new check in Enterprise Vault 11.0 Service Pack 1 (11.0.1) for EV, CA and DA is to check the validity of the accounts that have been granted any permissions on the VSA TEMP folder.  When any account or group is encountered during this check that does not meet the security requirements, the Enterprise Vault Admin service or the Enterprise Vault Accelerator Manager Service (EVAMS) will start and them stop immediately.  When the service stops in this manner, the appropriate pop-up alert is displayed and the appropriate Event Log entry is thrown into the Symantec Enterprise Vault Event Log.

 Only the following entities are expected to be granted permissions to the VSA TEMP folder by default:

• Administrators
• SYSTEM
• the Vault Service Account

Note that the enhanced security checking is also performed on computers where the CA and DA Client is launched for the TEMP folder used by the logged on user's account.  A failed security check results in a pop-up error being thrown with the options to exit (which will close the CA or DA Client), retest (which will run the security check in 60 seconds) or help (which will open the online help feature).  For more information about how to resolve the security issue on the computer where the CA or DA Client is trying to be run, refer to Article Answer ID # 100014415 the Related Articles section of this document.

Solution

There are three possible solutions to this issue.  Both are performed on the CA or DA server while the Vault Service Account (VSA) is logged on.

1. Check and correct the VSA's TEMP folder permissions of any unnecessary accounts.
2. Create a registry entry listing all user accounts that are authorized to access the VSA's TEMP folder.
3. Create a registry entry forcing the enhanced security check to be skipped for CA or DA servers only. 

1. To check and correct the permissions granted on the logged on user's TEMP folder:

1. Obtain the location of the VSA TEMP folder.
   • Open a Command Prompt.
   • Run the following command in the Command Prompt window
     • set
   • Review the output of the 'set' command to locate the TEMP and TMP information (i.e., E:\VSATemp).
   • Close the Command Prompt by running the following command in the Command Prompt window
     • exit
2. Open Windows Explorer.
3. Navigate to the VSA TEMP folder location obtained above.
4. Right click on the VSA TEMP folder.
5. Select the Properties option.
6. Click on the Security tab.
7. Review the entities (group and user accounts) that are listed as having any permissions granted. If any entry or entries exist that do not need to have permissions to the VSA TEMP folder -
   • Click on the Advanced button in the lower portion of the Security tab.
   • Click on the Change Permissions button near the lower left portion of the permissions pane.
   • By default, permissions are inherited from the root level of the drive, so the inheritance must be removed
     • Uncheck the check box for the Include inheritable permissions from this object's parent option.
       1. A Windows Security dialog box will be displayed providing a warning stating the inheritable permissions will no longer propagate to the folder object.
     • Click on the Add button to add the existing accounts to the new security list that will be created for the VSA TEMP folder and its contents.
   • Click on any group or user account entry in the new list that does not need to have access to the VSA TEMP folder.
   • Click the Remove button.
   • Repeat the steps for each group or user account entry that does not need to access the VSA TEMP folder.
8. When all unneeded groups and users have been removed
   • Click on the check box for the Replace all child object permissions with inheritable permissions from this object to place a check mark in it.
   • Click the Apply button to propagate down the folder's contents the new security permissions.
   • Click the Yes button in the Windows Security alert dialog box that will be displayed so the permissions propagation will continue.
   • Click the OK button when the permissions propagation has completed.
9. Click the OK button again to return to the VSA TEMP folder Properties window.
10. Click the OK button once more to close the VSA TEMP folder Properties window.

2. To create a registry entry listing all user accounts that are authorized to access the VSA's TEMP folder:

1. Open the registry editor, regedit.
2. Navigate to the appropriate registry key.
   1. The primary location on any EV, CA or DA server is:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS
   2. The alternate location on the Enterprise Vault server -
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS\Enterprise Vault\AdminService
   3. The alternate location on  the Compliance Accelerator server -
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS\Compliance Accelerator
   4. The alternate location on  the Discovery Accelerator server-
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS\Discovery Accelerator
3. Create and set the following registry entry -
   • TempFolderExceptions
     • Type: REG_STRING
     • Value: The names of one or more users or groups to be exempt from the security check.  Each entry must be in the form of domain\user_name or BUILTIN\user_name.  Multiple entries must be separated by semicolons (i.e., BUILTIN\Server Operators;EVLab\TestUser1;EVLab\TestUser2).
   • For example, using the primary registry path and the example accounts in Step 3.1.2., the entry would be as follows:

• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS\TempFolderExceptions 
•  REG_SZ:  BUILTIN\Server Operators;EVLab\TestUser1;EVLab\TestUser2

3. Close the registry editor.

4. Start the Enterprise Vault Admin Service on the EV server or the Enterprise Vault Accelerator Manager Service (EVAMS) on the CA or DA server.

 3. To create a registry entry forcing the enhanced security check to be skipped on CA or DA servers only (not recommended by Veritas unless the TempFolderExceptions entry does not work):

1. Open the registry editor, regedit.
2. Navigate to the appropriate registry key.
   • On any CA or DA server, the primary location is:
     • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS\
   • The alternate location on the Compliance Accelerator server is:
     • HKEY_LOCAL_MACHINE\Software\Wow6432Node\KVS\Compliance Accelerator/
   • The alternate location on the Discovery Accelerator server is: 
     • HKEY_LOCAL_MACHINE\Software\Wow6432Node\KVS\Discovery Accelerator/
3. Create and set the following registry entry set to 1 -
   • SkipTempFolderCheck
     • Type: REG_DWORD
       • Values:
         • 0 - Default value that enables the security check to run.
         • 1 - Value to turn off the security check.

4. For example, using the primary registry path, the entry to turn off the TEMP folder security check would be as follows:

• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KVS
• SkipTempFolderCheck     REG_DWORD     1

5. Close the registry editor.

6. Start the Enterprise Vault Accelerator Manager Service (EVAMS).

Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes.