How to setup user rights/permissions for Backup Exec Service Account (BESA)

Article:TECH184449  |  Created: 2012-03-21  |  Updated: 2013-06-25  |  Article URL
Article Type
Technical Solution



How to setup user rights/permissions for BESA


What permissions are required for the Backup Exec account to perform Exchange backup.


The BE Support Tool can assist in verifying permissions and the Backup Exec Exchange account.

1. The password for the Backup Exec System Logon Account (network > logon accounts) and/or the Backup Exec Service Account (BESA) (Tools > Backup Exec services > Services Credentials) need to match the password set in Active Directory.

2. Check all the basic Backup Exec permissions, this can be done with Group Policy Management Console on a domain controller or Local Security Policy on the Media server.  If the Local Policies are locked out by a Group Policy, the permissions will need to be added with the Group Policy Management Console at the domain controller.

  • Act as part of the operating system  
  • Backup files and directories
  • Create a token object
  • Log on as a batch job
  • Log on as a service 
  • Manage auditing and security log (BE 2010 R3 and later)
  • Restore files and directories
  • Take ownership of files and other objects


The Backup Exec account must have following permissions for backing up Exchange:

1. The account must be an Exchange Full Administrator (Exchange 2003), Exchange Organization Administrator (Exchange 2007), and Organization Management (Exchange 2010) at the top level of Exchange.

2. The account must be a Domain Administrator. (Recommended, ensure that Domain Admins is a member of the Local Administrator's group on the Exchange Server)

3. The account must have an active mailbox on the Exchange Server.

4. The account must have received an e-mail via the mailbox.

5. The account must have sent an e-mail via the mailbox.

6. The account must be named so that it is unique within 5 characters. (Refer to the TechNote below for steps to test this).

7. The account must be visible to the Global Address List, not hidden.

8. Make sure the default system logon account of Backup Exec and Backup Exec Service Account are the same.

How to confirm that an Exchange mailbox name is unique within the Exchange organization when configuring Backup Exec to back up Exchange mailboxes

From Backup Exec console Click Network -> Logon Account, ensure that a System Logon Account is present.  If not create a System Logon Account by clicking the System Account button.

For assistance on this task:


Article URL

Terms of use for this information are found in Legal Notices