Accelerator Client displays an error pop-up every minute stating the temporary folder security requirements are not satisfied.

Problem

When the Compliance Accelerator (CA) or Discovery Accelerator (DA) Client is launched on a workstation, a pop-up box is also displayed with the error information shown in the Error section below.

Error Message

On the Compliance Accelerator Client (see Figure 1):

Error

The temporary folder that Compliance Accelerator uses does not satisfy
security requirements.  Do you want to exit Compliance Accelerator or
retest the folder security?

Figure 1.  Screen shot of the pop-up error on the Compliance Accelerator Client.

On the Discovery Accelerator Client:

Error

The temporary folder that Discovery Accelerator uses does not satisfy
security requirements.  Do you want to exit Discovery Accelerator or
retest the folder security?

Cause

The occasion can arise when the logged on user account's TEMP folder has had additional accounts granted permissions through inheritance from an upper level folder permissions grant.  By default, any user's TEMP folder will inherit the permissions of the parent folder or the root of the drive.  The default permissions include the local Administrators group, the SYSTEM account and the logged on user's account.  The permissions of the TEMP folder can be configured with other local and / or domain accounts.

A process that started in Enterprise Vault 11.0 Service Pack 1 (11.0.1) for EV, CA and DA exists to check the validity of the accounts that have been granted any permissions on the logged on user's TEMP folder.  When any account or group is encountered during this check that does not meet the security requirements, the security check causes the appropriate pop-up alert to be displayed.

Only the following entities are expected to be granted permissions to the logged on user's TEMP folder by default:

• Administrators
• SYSTEM
• The logged on user's account

The pop-up offers the option buttons of Exit, Retest and Help.

• The Exit option closes the Client immediately.
• The Retest option retests the folder's security after 60 seconds.  If the folder's security is sufficient to pass the check, the pop-up will not appear again.  If the folder's security is not sufficient to pass the check, the pop-up will appear again.  While the 60 second period is running, the Client will function as allowed by the user's permissions on the CA Departments or DA Cases as assigned through the user's Role assignments.
• The Help option displays the Help dialog stating that the user's TEMP folder permissions need to be checked and corrected OR a registry entry must be added with the accounts listed in the user's TEMP folder permissions display.

For optimal security, Veritas recommends removing any user account from the user's TEMP folder so that only the actual user, the System and the local Administrators group have any NTFS permissions on the folder and any objects (i.e., sub-folders and files).

Note that the enhanced security checking is also performed on the CA and DA servers for the TEMP folder used by the account running the Enterprise Vault Accelerator Manager Service.  This account is supposed to be the Vault Service Account (VSA).  A failed security check results in the Enterprise Vault Accelerator Manager Service (EVAMS) not being allowed to start or continue running if it has started and the permissions on the VSA's TEMP folder are changed.  For more information about how to resolve the service stoppage on the CA or DA server, refer to Article ID # 100013877 in the Related Articles section of this document.

Solution

There are three possible solutions to this issue.  Only one of these solutions should be needed.  Each solution is performed on the computer where the user is logged on and attempting to use the CA or DA Client.

1. Check and correct the logged on user's TEMP folder permissions of any unnecessary accounts.
2. Create a registry entry listing all user accounts that are authorized to access the logged on user's TEMP folder.
3. Create a registry entry causing the enhanced security check to be skipped for the logged on user on the computer attempting to run the CA or DA client.

 1. To check and correct the permissions granted on the logged on user's TEMP folder:

1. Obtain the location of the logged on user's TEMP folder.
   1. Open a Command Prompt.
   2. Run the following command in the Command Prompt window
      1. set
   3. Review the output of the set command to locate the TEMP and TMP information (i.e., C:\Users\TestUser1\AppData\Local\Temp).
   4. Close the Command Prompt by running the following command in the Command Prompt window
      1. exit
2. Open Windows Explorer.
3. Navigate to the logged on user's TEMP folder location obtained from Step 1.3.
4. Right click on the logged on user's TEMP folder.
5. Select the Properties option.
6. Click on the Security tab.
7. Review the entities (group and user accounts) that are listed as having any permissions granted. If any entry or entries exist that do not need to have permissions to the logged on user's TEMP folder -
   1. Click on the Advanced button in the lower portion of the Security tab.
   2. Click on the Change Permissions button near the lower left portion of the permissions pane.
   3. By default, permissions are inherited from the root level of the drive, so the inheritance may need to be removed
      1. Uncheck the check box for the Include inheritable permissions from this object's parent option.
         1. A Windows Security dialog box will be displayed providing a warning stating the inheritable permissions will no longer propagate to the folder object.
      2. Click on the Add button to add the existing accounts to the new security list that will be created for the logged on user's TEMP folder and its contents.
   4. Click on any group or user account entry in the new list that does not need to have access to the logged on user's TEMP folder.
   5. Click the Remove button.
   6. Repeat the Steps 7.4. and 7.5. for each group or user account entry that does not need to access the logged on user's TEMP folder.
8. When all unneeded groups and users have been removed
   1. Click on the check box for the Replace all child object permissions with inheritable permissions from this object to place a check mark in it.
   2. Click the Apply button to propagate down the folder's contents the new security permissions.
   3. Click the Yes button in the Windows Security alert dialog box that will be displayed so the permissions propagation will continue.
   4. Click the OK button when the permissions propagation has completed.
9. Click the OK button again to return to the logged on user's TEMP folder Properties window.
10. Click the OK button once more to close the logged on user's TEMP folder Properties window.

2.  To create a registry entry listing all accounts that are authorized to access the logged on user's TEMP folder:

1. Open the registry editor, regedit.
2. Navigate to the appropriate registry key.  
   1. For running the CA or DA Client on a server for troubleshooting purposes only (not supported for daily operations)-
      1. HKEY_LOCAL_MACHINES\SOFTWARE\Wow6431Node\KVS\
   2. For running the CA or DA Client on a client computer , use either of the following -
      1. (Primary)  HKEY_CURRENT_USER\Software\KVS
      2. (Alternate)  HKEY_USERS\user_security_identifier\Software\KVS\
         1. NOTE: One of the above entries may work where the other will not.  Veritas recommends implementing the primary path and testing.  If that path does not work, use the alternate path.  Both paths may be needed.
   3. Notes:
      1. If any of these keys do not exist, they must be created.  Some of these keys may not exist if the CA or DA Client installation was performed on a per-machine basis instead of on a per-user installation (i.e., installed using the msiexec /i command with the ALLUSERS=1 option).
      2. The user_security_identifier is typically the Active Directory SID (Security Identifier) assigned to the user's logon account.  To locate the user_security_identifier if multiple users access the computer:
         1. In the registry editor -
            1. Click on the HKEY_USERS key to select that key as the focus of the next actions.
            2. Click on the Edit drop-down menu
            3. Select the Find option.
            4. Enter Username into the Find what: field.
            5. Click the Find Next button.
            6. Press the F3 key as needed until the user's logon ID is shown in the right panel.
            7. Note in the path statement under the left pane the user_security_identifier that follows Computer\HKEY_USERS\.
3. Create and set of the following registry entry -
   1. TempFolderExceptions
      1. Type: REG_STRING
      2. Value: The name or names of one or more users or groups to be exempt from the security check.  Each entry must be in the form of domain\user_name.  Multiple entries must be separated by semicolons (i.e., BUILTIN\Server Operators;EVLab\TestUser2;EVLab\TestUser3).
   2. For example, using the HKEY_LOCAL_MACHINE path and the same users as in the above example, the registry entry would look like the following without the line numbers:
      1. HKEY_LOCAL_MACHINE\
         1. SOFTWARE\
            1. Wow6432Node\
               1. KVS\
                  1. TempFolderExceptions     REG_STRING     BUILTIN\ServerOperators;EVLab\TestUser2;EVLAB\TestUser3
   3. For example, using the primary path on a client workstation and the same users as in the above example are assigned permissions to the user's TEMP folder, the registry entry should look like the following without the line numbers:
      1. HKEY_CURRENT_USER\
         1. Software\
            1. KVS\
               1. TempFolderExceptions     REG_STRING     BUILTIN\ServerOperators;EVLab\TestUser2;EVLab\TestUser3
   4. For example, using the altername path on a client workstation and if the user_security_identifier for the user is S-1-5-21-4147433086-1421622423-4039819891-1110 and the accounts in the above example are assigned to the user's TEMP folder permissions, the registry entry should look like the following without the line numbers:
      1. HKEY_USERS\
         1. S-1-5-21-4147433086-1421622423-4039819891-1110\
            1. Software\
               1. KVS\
                  1. TempFolderExceptions     REG_STRING     BUILTIN\ServerOperators;EVLab\TestUser2;EVLab\TestUser3
4. Close the registry editor.
5. Restart the CA or DA Client.

 3. To create a registry entry causing the enhanced security check to be skipped for the logged on user on the computer attempting to run the CA or DA client:

1. Open the registry editor, regedit.
2. Navigate to the appropriate registry key.  
   1. For running the CA or DA Client on a server for troubleshooting purposes only (not supported for daily operations)-
      1. HKEY_LOCAL_MACHINES\SOFTWARE\Wow6431Node\KVS\
   2. For running the CA or DA Client on a client computer , use either of the following -
      1. (Primary)  HKEY_CURRENT_USER\Software\KVS
      2. (Alternate)  HKEY_USERS\user_security_identifier\Software\KVS\
         1. NOTE: One of the above entries may work where the other will not.  Veritas recommends implementing the primary path and testing.  If that path does not work, use the alternate path.
   3. Notes:
      1. If any of these keys do not exist, they must be created.  Some of these keys may not exist if the CA or DA Client installation was performed on a per-machine basis instead of on a per-user installation (i.e., installed using the msiexec /i command with the ALLUSERS=1 option).
      2. The user_security_identifier is typically the Active Directory SID (Security Identifier) assigned to the user's logon account.  To locate the user_security_identifier if multiple users access the computer:
         1. In the registry editor -
            1. Click on the HKEY_USERS key to select that key as the focus of the next actions.
            2. Click on the Edit drop-down menu
            3. Select the Find option.
            4. Enter Username into the Find what: field.
            5. Click the Find Next button.
            6. Press the F3 key as needed until the user's logon ID is shown in the right panel.
            7. Note in the path statement under the left pane the user_security_identifier that follows Computer\HKEY_USERS\.
3. Create and set the following registry entry -
   1. SkipTempFolderCheck
      1. Type: REG_DWORD
      2. Values:
         1. 0
            1. Default value that enables the security check to run.
         2. 1
            1. Value to turn off the security check.
      3. For example, using the HKEY_LOCAL_MACHINE path, the registry entry to turn off the security check would be the following without the line numbers:
         1. HKEY_LOCAL_MACHINE\
            1. SOFTWARE\
               1. Wow6432Node\
                  1. KVS
                     1. SkipTempFolderCheck     REG_DWORD     1
      4. For example, using the primary path, the registry entry to turn off the security check would be the following without the line numbers:
         1. HKEY_CURRENT_USER\
      1. 1. Software\
            1. KVS\
               1. SkipTempFolderCheck     REG_DWORD     1
      2. For example, using the alternate path and if the user_security_identifier is S-1-5-21-4147433086-1421622423-4039819891-1110, the registry entry to turn off the security check would be the following without the line numbers:
         1. HKEY_USERS\
            1. S-1-5-21-4147433086-1421622423-4039819891-1110\
               1. Software\
                  1. KVS
                     1. SkipTempFolderCheck     REG_DWORD     1
4. Close the registry editor.
5. Restart the CA or DA Client.

Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes.

Applies To

Enterprise Vault Compliance Accelerator 11.0.1 and greater Client

Enterprise Vault Discovery Accelerator 11.0.1 and greater Client