How to setup user rights/permissions for BESA
What permissions are required for the Backup Exec account to perform Exchange backup.
Veritas QuickAssist (VQA) can assist in verifying permissions and the Backup Exec Exchange account.
1. The password for the Backup Exec System Logon Account (Configuration and Settings | Logon Accounts | Manage Logon Accounts or, pre-Backup Exec 2012, Network | Logon accounts) and/or the Backup Exec Service Account (BESA) (Configuration and Settings | Backup Exec Services | Edit Credentials or, pre-Backup Exec 2012, Tools | Backup Exec services | Services Credentials) need to match the password set in Active Directory.
2. Check all the basic Backup Exec permissions, this can be done with Group Policy Management Console on a domain controller or Local Security Policy on the Media server. If the Local Policies are locked out by a Group Policy, the permissions will need to be added with the Group Policy Management Console at the domain controller.
- Act as part of the operating system
- Backup files and directories
- Create a token object
- Log on as a batch job
- Log on as a service
- Manage auditing and security log (BE 2010 R3 and later)
- Restore files and directories
- Take ownership of files and other objects
- On the local machine Press the Windows logo key + R to open the RUN dialogue
- Type gpedit.msc in the text box, and then click OK or press ENTER
- Browse to "\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment" and add the user to each policy listed above
- On the Domain controller Press the Windows logo key + R to open the RUN dialogue
- Type gpmc.msc in the text box, and then click OK or press ENTER
- Right click and select Edit... for the group policy the machine is in.
- Browse to \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and add the user to each policy listed above
The Backup Exec account must have following permissions for backing up Exchange:
1. The account must be an Exchange Full Administrator (Exchange 2003), Exchange Organization Administrator (Exchange 2007), and Organization Management (Exchange 2010) at the top level of Exchange.
2. The account must be a Domain Administrator. (Recommended, ensure that Domain Admins is a member of the Local Administrator's group on the Exchange Server)
3. The account must have an active mailbox on the Exchange Server.
4. The account must have received an e-mail via the mailbox.
5. The account must have sent an e-mail via the mailbox.
6. The account must be named so that it is unique within 5 characters. (Refer to the TechNote below for steps to test this).
7. The account must be visible to the Global Address List, not hidden.
8. Make sure the default system logon account of Backup Exec and Backup Exec Service Account are the same.
How to confirm that an Exchange mailbox name is unique within the Exchange organization when configuring Backup Exec to back up Exchange mailboxes
From Backup Exec console Click Network -> Logon Account, ensure that a System Logon Account is present. If not create a System Logon Account by clicking the System Account button.
For assistance on this task: http://www.symantec.com/docs/TECH85944