This question comes up many times for legitimate reasons. Someone is trying to acces a GroupWise mailbox for investigative purposes. This article is intended to outline those legitimate needs to access both the online version of the account without a user knowing or a restored copy of the data.

ONLINE ACCESS

The GroupWise Security Basics:

In most systems, GroupWise client access has been configured (based on Novell recommendations) to Client Server Only. This means that users are not required to map a drive or have rights to the Post Office directory structure. This is key information as you do not want your users trying to modify anything within the message or directory store.

I highly recommend that your Post Office security be set to “high”. Setting security to high means one of two things are required in order to gain access to the GroupWise account; eDirectory Authentication or a GroupWise password. Something that’s important to understand here is that GroupWise passwords are stored in a user database (if that fact alone hasn’t already given away where the rest of this article is going, you’ll catch on very soon).

Identifying the User:

Before I get into this portion, I would like to stress that in legal, security and human resource-type issues you should make sure that you are following documented processes and policies in conjunction with directives from some form of executive management - this will keep you and your processes out of the courtroom in the event things go that route. It also keeps you out of trouble in the office, as you’re not just following some manager’s request to know what “Sally has been doing all day in email”. Again, making sure your actions are set in motion by someone who is legally and ethically responsible, is the safest reason to perform these actions.

Based on a request for access being handed to you (the GroupWise administrator) from the appropriate area within your organization you need to gather some information that will be used later in the process. You should obtain specific user information:

· What is the user’s full name
· What is the user ID

You will then use this information to gather data that is useful within the GroupWise system and the remaining process.
· The GroupWise user ID (if different)
· The GroupWise Post Office
· The path to the GroupWise Post Office (i.e. server, volume and directory)
· The GroupWise user’s FID

Accessing the Account:

IMPORTANT NOTE: This process should only be done when the user is not accessing their account. This can be done after hours or on a weekend.

With the information obtained above, the process goes as follows:

1. Map a drive to the Post Office server and volume.
2. Locate the user’s database that access has been requested for - under the POST\OFUSER directory. This is found based on USER.db, (the FID was identified in an above process). Copy this user’s database to your local PC or other server directory (only take a copy - make sure you don’t move it).
3. After you have a copy of the user database, via Console One, reset the user’s GroupWise password. This now gives you access via the GroupWise client as you now know the user’s password. Now you can login to the user’s account.

Tread lightly...

Once you’re in the account there is one thing that should be done first, to make sure that your access is not seen by the end user. Go to the Tools Menu, select Options and double-click the Send options icon. Make sure that the user has not configured any email or other notifications for message tracking. This will prevent the rest of the process from being trackable. Once that is done, you’re now set to obtain the GroupWise data from this account. The process that I have found that makes things very easy and relatively fast is as follows:

1. Mass-select the items within the mailbox.
2. Forward the selected items in one email to another account (a utility account or your own). I typically fill the subject out on these forwarded emails as the user name - folder name (i.e. SMITH - Mailbox).
3. Continue through this process for each folder within the account (sent items, cabinet, and any personal folders).

Gathering the Trash:

This is the only point in the process where a user can stumble across the fact that the account has been accessed. In order to successfully gather trash, it needs to be moved from the trash to a folder in the cabinet.

1. I suggest you create a folder named something similar to "~err-restore"
2. Once the folder is created move the trash data to the ~err-restore folder.
3. You can then select and forward all items from that folder.
4. After the items have been forwarded, you can delete the folder and items (so they go back to the trash)

The reason this process is different from the others, is that there is the potential for the user to un-delete an item from trash after you’ve accessed the account. That item may not be returned to the original folder, but rather to the folder that they were moved to for forwarding ( ~err-restore). This is the only "footprint" that you’ll have left behind. The other alternative is to not gather the trash at all... which probably has what someone is looking for anyway.

Cleanup After Yourself:

Before you cleanup the account, I recommend that you log in the account that all of the items were forwarded to (a utility account or your own as mentioned previously) and verify that you see the new mail items with the forwarded attachments. Once you verify that, you can remove any traces of your presence:

1. Login to the user’s account again
2. Go into the Sent Items folder and delete any items that you have created during this process. NOTE: Only delete these items from this account - not all mailboxes.
3. Go to the trash and empty the sent items that you deleted in step 2.
4. Logout of the account.
5. Open the mapped drive to the user’s Post Office server and volume.
6. Take the copy of the user database from your local PC or wherever you chose to place it and copy it back to the server under the POST\OFUSER directory.

Presenting...the Data:

Assuming you’ve already verified the data that was forwarded, you can start to prepare it within the account that now holds it. To keep things nice and clean, create a folder for that user (i.e. SMITH) and move all of the forwarded items into this folder.

I recommend that you then share this folder with the appropriate person (the person who requested the data). That person can then perform any data mining that they wish to via the shared folder. They can also print the data easily as one email can be selected to print and by selecting all attachments, the entire forwarded item and all other attached emails and attachments within those emails will print.

Again, I suggest that GroupWise administrators stay out of the data mining business as that can involve you in the legal aspects of anything that transpires afterwards.

OFFLINE DATA ACCESS

Working With Restored Data

This process takes a little bit of upfront work aside from the restoring the data. In order to access the data from tape you need to, again, understand GroupWise security. At this point you should already have identified the user’s Post Office as described above in the online access section. You will then need a copy of the Post office database with modified security settings. This process is best accomplished by using a restored domain database as well. This is because GroupWise Post Office databases store a copy of the configured GroupWise password if it has ever been set through ConsoleOne.

Using ConsoleOne, connect to the restored WPDOMAIN.DB that owns the Post Office that is also being restored. This must be done manually by navigating the Tools -> GroupWise System Operations -> Select Domain. Once connected, the entire system will appear as it does in the production version. At this point, locate the user object and clear the user's password. This won't actually perform an action, but it will drop the appropriate message into the Domain's file queues for processing. After this, you then need to modify the Post office's security settings. Again using the restored domain and ConsoleOne connectivity, open the properties of the Post Office and go to the Security tab. Once at this tab, set the security option to low and apply the change, then close the POA object. Again this wil only place messages into the Domain's file queus for processing, it will not actually perform any action. The final step in configuration is to edit the Post Office Settings tab and change the client access to Client Server and Direct.

After all of the above configuration has been completed, right-click the Post Office object and select System Maintenance ->Rebuild Database and click Run. At the new window that appears change the path listed to an alternate location such as your local PC (i.e. C:\temp). Save this copy as you will need it for each restore instance if you require going back further than just one restored set of data.

Restore process:

The restoration of tape data should be done to a separate volume or directory to avoid annihilating your existing production system. Once the data is restored, you have a few simple steps to do to prepare the Directory Store:

1. Rename the wphost.db that was restored.
2. Copy the wphost.db that was captured in the instructions above into the restored directory structure.

Account modifications and account access:

IMPORTANT NAOTE: As mentioned above, you may also need to restore a copy of the domain for the Post office that was restored. This would only be needed if the user's GW password was ever set from ConsoleOne. If that is the case, you will have to connect to the restored Domain database (after putting the DC files in place) and clear the user's password, as well as set the Post Office's security settings to low and the client access mode to Client Server and Direct. Once you've done that, re-rebuild the Post office database and replace the restred version.

You need to prepare the user database that was restored before you can access it. It’s always best to assume that the user had a GroupWise password configured and you can then use GWCheck to clear that password. This means that you need to run GWCheck against the user database(s) that were identified in the "Identifying the User" section and reset the client options (clear password option checked). You need to the user's FID so you know which user database to clear the password on.
Login as the user using the following command line switch:
C:\NOVELL\GroupWise\GRPWISE.EXE /ph-\\Server_name\volume_name\data\post
NOTE: see Novell TID 10026881 for additional info if needed.

Data extraction:

Here we go... You’re ready to login to the account. At this point the data is going to be extracted to a local PC. That PC can then have the directories copied elsewhere for someone else to peruse and print what’s needed - again try your best to stay out of the data mining aspects of this. Here’s how you get the data out of the restored location so that you can hand it over to someone else.

Configure a directory location on the local PC or external drive specific for each user requested. Perform a "Hit the Road" to the local PC or external drive, selecting all data and specify the specific directory for the user account that is currently open. This brings all of the data to the local PC.