search cancel

Manual scan stops with 0 messages scanned in Mail Security for Microsoft Exchange (SMSMSE)

book

Article ID: 164027

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

When running a manual scan, the scan shows finished immediately with 0 messages scanned. If the scan is editted, the list of mailboxes available is blank.

If a debugview log is generated during service startup per How to Obtain Debug Logs for Symantec Mail Security for Microsoft Exchange (SMSMSE) 

Entries similar to the following are written to the log:
SAVFMSESJM(6020)[6C78] 
 ..\..\..\src\Server\SAVFMSESJM\TExchDataProvider.cpp(1225) :    
Enumerating mailbox store 0: CN=Container name,CN=Exchange Administrative Group,CN=Administrative Groups,CN=Container name,CN=Microsoft Exchange,CN=Container Name,CN=Container Name,DC=Domain controller,DC=Domain Controller,DC=Domain Controller    
    
SAVFMSESJM(6020)[6C78]     
 ..\..\..\src\Server\SAVFMSESJM\TExchDataProvider.cpp(1701) :    
Debug Trace:  HRESULT=0x8007200A - The specified directory service attribute or value does not exist.    

Environment

Exchange 2007, 2010, 2013 or 2016

Cause

The SMSMSE service account does not have read access to the Exchange database object listed in the error above.

Resolution

Assign all permissions required to the SMSMSE service account per Permissions considerations for the Symantec Mail Security for Microsoft Exchange service account.

If all permissions appear correct per the above document, this is an indication that the Exchange-View Only Organization Management group is not granting read access to the database object listed above as expected.

Workaround
Manually assign the permission to read the database object to the SMSMSE service account via the Exchange Management Shell

  1. Open the Exchange Management Shell as administrator
  2. Run the command Get-MailboxDatabase -identity “<mailbox database name>” | Add-ADPermission -user <SMSMSE service account> -AccessRights Reviewer

This should allow the SMSMSE service account to read the contents of the mailbox database and build the list of users. Keep in mind that this is a workaround, ultimately the Exchange View-Only Administrators group should grant access to all Exchange databases. It is recommended to troubleshoot the underlying reason the Exchange View-Only Administrators group does not have read access to this database object.