Minimal Permissions required for backing Up Microsoft Exchange 2010 and Microsoft Exchange 2013

Article:TECH212113  |  Created: 2013-10-31  |  Updated: 2014-07-17  |  Article URL http://www.symantec.com/docs/TECH212113
Article Type
Technical Solution

Product(s)

Issue



For larger organizations it may not be desirable to give Exchange Organization Management role to the account used to backup Exchange. From the release of Backup Exec 2012 SP3 and Backup Exec 2010 R3 SP4 we have provided means to assign the minimal permissions needed to successfully backup the Exchange databases.

 


Environment



Microsoft Exchange 2010 and Microsoft Exchange 2013
Backup Exec 2012 SP3
Backup Exec 2010 R3 SP4

Note: Backup Exec 2010 R3 does not have support for Exchange 2013. Exchange 2013 is supported only with Backup Exec 2012 SP2 and later versions.

 


Solution



A. Granting minimal permissions for a user account to perform non-GRT database backups and restores of Exchange Servers

B. Granting minimal permissions for a user account to perform GRT backups and restores of Exchange Servers

 

 

 

A. For non-GRT database backups and restores of Exchange Server:

Minimal permissions can be granted for a user account (logon account) that allows a user to perform Exchange database backups. 

To grant minimal permissions for a user account to perform database backups and restores of an Microsoft Exchange 2010/2013 Server.
Do one of the following 2 steps:

1. Make sure that the user account is part of local administrator groups on all Exchange servers.

2. Assign the user account the following roles using the Exchange Management Console / Exchange Admin Center:

  • Public Folder Management
  • Recipient Management
  • Server Management
     

3. Assign the user account the following roles using the Exchange Management Shell:

  • Type the following command:
    New-RoleGroup -Name <role group name> -Roles @("Database Copies","Databases", "Exchange Servers", "Monitoring", "Mail Recipient Creation", "Mail Recipients", "Recipient Policies", "Mail Enabled Public Folders","Public Folders")
    Note: Where <role group name> is the name of the new role group (Ex. BackupExecRoles).

  • Type the following command:
    Add-RoleGroupMember -Identity <role group name> -Member <name of the user account>
    Note: Where <role group name> is the same as the command above and <name of the user account> is the name of the account used as logon account to backup Exchange.

 

B. For GRT backups and restores of Exchange Servers:

Minimal permissions can be granted for a user account for the logon account used that ensures Granular Recovery Technology (GRT) support on an Exchange Server.

To grant permissions for a user account to support Granular Recovery Technology on an Microsoft Exchange 2010 Server do the following in addition to above listed steps.

  1. Create a mailbox for the user account.
  2. Got to Exchange management shell and follow the steps listed below:
  • Type the following command:
    New-ManagementRole -Name "SymantecEWSImpersonationRole" -Parent ApplicationImpersonation

     
  • Type the following command:
    New-ManagementRoleAssignment -Role "<management role assignment name>" -User <user name> -Name "<assignment name>"
    For example:
    New-ManagementRoleAssignment -Role "SymantecEWSImpersonationRole" -User BackupExecUser -Name "BackupExecUser-EWSImpersonation"
     
  • Type the following command:
    New-ThrottlingPolicy -Name "<throttling policy name>"" - EWSMaxConcurrency $null -PowerShellMaxConcurrency $null -EWSMaxSubscriptions $null
    For example:
    New-ThrottlingPolicy -Name "SymantecEWSRestoreThrottlingPolicy" -EWSMaxConcurrency $null -PowerShellMaxConcurrency $null -EWSPercentTimeInCAS $null -EWSPercentTimeInAD $null -EWSPercentTimeInMailboxRPC $null
     
  • Type the following command:
    Set-Mailbox -Identity <user name> -ThrottlingPolicy "throttling policy name"
    For example:
    Set -Mailbox -Identity BackupExecUser -ThrottlingPolicy "SymantecEWSRestoreThrottlingPolicy"
     
  • Type the following command:
    Set -ThrottlingPolicyAssocation "throttling policy name" -Identity <user name> -ThrottlingPolicy "throttling policy name"
    For example:
    Set-ThrottlingPolicyAssociation -Identity BackupExecUser -ThrottlingPolicy "SymantecEWSRestoreThrottlingPolicy" 

 
 

Exchange 2013 GRT support has been added in Backup Exec 2014. GRT of Exchange 2013 is not supported by BE 2012. To recover individual mailboxes and messages from a full non GRT Exchange database backup in Backup Exec 2012, see following article for details - http://www.symantec.com/docs/TECH77853

 


Supplemental Materials

SourceETrack
Value2704544
Description

What are the least privileges actually needed to do mailbox/mailbox item restore




Article URL http://www.symantec.com/docs/TECH212113


Terms of use for this information are found in Legal Notices