Minimal Permissions required for backing Up Exchange Server version 2010, 2013, 2016 and 2019

Minimal Permissions required for backing Up Exchange Server version 2010, 2013, 2016 and 2019

Article: 100011017
Last Published: 2019-03-14
Ratings: 3 6
Product(s): Backup Exec

Problem

For larger organizations with root and child domains it may not be desirable to give Exchange Organization Management role to the account used to backup Exchange. For this purpose we have provided the means to assign the minimal permissions needed to successfully backup the Exchange databases.

 

Solution

A. Granting minimal permissions for a user account to perform non-GRT database backups and restores of Exchange Servers

B. Granting minimal permissions for a user account to perform GRT backups and restores of Exchange Servers

 

 

 

A. For non-GRT database backups and restores of Exchange Server:

Minimal permissions can be granted for a user account (logon account) that allows a user to perform Exchange database backups.

To grant minimal permissions for a user account to perform database backups and restores of an Exchange Server Mailbox Databases.

1. Make sure that the user account is part of local administrator groups on all Exchange servers.

2. Do one of the following 2 steps to assign the user account roles:

2-a) Assign the user account the following roles using the Exchange Management Console / Exchange Admin Center:

  • Public Folder Management
  • Recipient Management
  • Server Management
     

2-b) Assign the user account the following roles using the Exchange Management Shell:

  • Type the following command:
    New-RoleGroup -Name <role group name> -Roles @("Database Copies","Databases", "Exchange Servers", "Monitoring", "Mail Recipient Creation", "Mail Recipients", "Recipient Policies", "Mail Enabled Public Folders","Public Folders")
    Note: Where <role group name> is the name of the new role group (Ex. BackupExecRoles).
     
  • Type the following command:
    Add-RoleGroupMember -Identity <role group name> -Member <name of the user account>
    Note: Where <role group name> is the same as the command above and <name of the user account> is the name of the account used as logon account to backup Exchange.

 

B. For GRT backups and restores of Exchange Servers:

Minimal permissions can be granted for a user account for the logon account (same as above) used that ensures Granular Recovery Technology (GRT) support on an Exchange Server.

To grant permissions for a user account to support Granular Recovery Technology on an Microsoft Exchange 2010 Server do the following in addition to above listed steps.

  1. Create a mailbox for the user account, if it does not already have one
  2. Got to Exchange management shell and follow the steps listed below:
  • Type the following command:
    New-ManagementRole -Name "VeritasEWSImpersonationRole" -Parent ApplicationImpersonation
    note: it may report this role already exists, if so move to next step
     
  • Type the following command:
    New-ManagementRoleAssignment -Role "<management role assignment name>" -User <user name> -Name "<assignment name>"
    For example:
    New-ManagementRoleAssignment -Role "VeritasEWSImpersonationRole" -User BackupExecUser -Name "BackupExecUser-EWSImpersonation"
  • Type the following command:
    New-ThrottlingPolicy -Name "<throttling policy name>"" - EWSMaxConcurrency $null -PowerShellMaxConcurrency $null -EWSMaxSubscriptions $null
    For example (Exchange 2010):
    New-ThrottlingPolicy -Name "VeritasEWSRestoreThrottlingPolicy" -EWSMaxConcurrency $null -PowerShellMaxConcurrency $null -EWSPercentTimeInCAS $null -EWSPercentTimeInAD $null -EWSPercentTimeInMailboxRPC $null

    For example (Exchange 2013,2016,2019):
    New-ThrottlingPolicy -Name "VeritasEWSRestoreThrottlingPolicy" -EWSMaxConcurrency $null -PowerShellMaxConcurrency $null

 

  • Type the following command:
    Set-Mailbox -Identity <user name> -ThrottlingPolicy "throttling policy name"
    For example:
    Set -Mailbox -Identity BackupExecUser -ThrottlingPolicy "VeritasEWSRestoreThrottlingPolicy"
  • Type the following command:
    Set -ThrottlingPolicyAssocation "throttling policy name" -Identity <user name> -ThrottlingPolicy "throttling policy name"
    For example:
    Set-ThrottlingPolicyAssociation -Identity BackupExecUser -ThrottlingPolicy "VeritasEWSRestoreThrottlingPolicy"


Exchange Server PowerShell reference article

 

 

References

Etrack : 2704544

Was this content helpful?