Problem
For larger organizations with root and child domains it may not be desirable to give Exchange Organization Management role to the account used to backup Exchange. For this purpose we have provided the means to assign the minimal permissions needed to successfully backup the Exchange databases.
Solution
A. For non-GRT database backups and restores of Exchange Server:
Minimal permissions can be granted for a user account (logon account) that allows a user to perform Exchange database backups.
To grant minimal permissions for a user account to perform database backups and restores of an Exchange Server Mailbox Databases.
1. Make sure that the user account is part of local administrator groups on all Exchange servers.
2. Do one of the following 2 steps to assign the user account roles:
2-a) Assign the user account the following roles using the Exchange Management Console / Exchange Admin Center:
- Public Folder Management
- Recipient Management
- Server Management
2-b) Assign the user account the following roles using the Exchange Management Shell:
- Type the following command:
New-RoleGroup -Name <role group name> -Roles @("Database Copies","Databases", "Exchange Servers", "Monitoring", "Mail Recipient Creation", "Mail Recipients", "Recipient Policies", "Mail Enabled Public Folders","Public Folders")
Note: Where <role group name> is the name of the new role group (Ex. BackupExecRoles).
- Type the following command:
Add-RoleGroupMember -Identity <role group name> -Member <name of the user account>
Note: Where <role group name> is the same as the command above and <name of the user account> is the name of the account used as logon account to backup Exchange.
B. For GRT backups and restores of Exchange Servers:
Minimal permissions can be granted for a user account for the logon account (same as above) used that ensures Granular Recovery Technology (GRT) support on an Exchange Server.
To grant permissions for a user account to support Granular Recovery Technology on an Microsoft Exchange 2010 Server do the following in addition to above listed steps.
- Create a mailbox for the user account, if it does not already have one
- Got to Exchange management shell and follow the steps listed below:
- Type the following command:
New-ManagementRole -Name "VeritasEWSImpersonationRole" -Parent ApplicationImpersonation
note: it may report this role already exists, if so move to next step
- Type the following command:
New-ManagementRoleAssignment -Role "<management role assignment name>" -User <user name> -Name "<assignment name>"
For example:
New-ManagementRoleAssignment -Role "VeritasEWSImpersonationRole" -User BackupExecUser -Name "BackupExecUser-EWSImpersonation"
- Type the following command:
New-ThrottlingPolicy -Name "<throttling policy name>"" - EWSMaxConcurrency $null -PowerShellMaxConcurrency $null -EWSMaxSubscriptions $null
For example (Exchange 2010):
New-ThrottlingPolicy -Name "VeritasEWSRestoreThrottlingPolicy" -EWSMaxConcurrency $null -PowerShellMaxConcurrency $null -EWSPercentTimeInCAS $null -EWSPercentTimeInAD $null -EWSPercentTimeInMailboxRPC $null
For example (Exchange 2013,2016,2019):
New-ThrottlingPolicy -Name "VeritasEWSRestoreThrottlingPolicy" -EWSMaxConcurrency $null -PowerShellMaxConcurrency $null
- Type the following command:
Set-Mailbox -Identity <user name> -ThrottlingPolicy "throttling policy name"
For example:
Set -Mailbox -Identity BackupExecUser -ThrottlingPolicy "VeritasEWSRestoreThrottlingPolicy" - Type the following command:
Set -ThrottlingPolicyAssocation "throttling policy name" -Identity <user name> -ThrottlingPolicy "throttling policy name"
For example:
Set-ThrottlingPolicyAssociation -Identity BackupExecUser -ThrottlingPolicy "VeritasEWSRestoreThrottlingPolicy"
Exchange Server PowerShell reference article
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.