This section describes permissions and access rights required for correct operation of Veeam Explorer for Microsoft Exchange used as part of Veeam Backup & Replication. Permissions and access rights required for the Veeam Explorer operation as part of Veeam Backup for Microsoft Office are described here.
- The account under which you run Veeam Explorer for Microsoft Exchange requires Read and Write permissions to all files in a folder with the Exchange mailbox database.
- To restore folder(s)/item(s) to Microsoft Exchange server, the account used for connection to that server will need sufficient access rights, as described below. They can be granted using the following methods: through impersonation, or by providing such a user with Full Access to the mailbox.
Consider the following:
Restore to a Public Folder
- The account that is used for restore to a public folder should own a mailbox on target Microsoft Exchange server.
- This account should have an Organization Management role on target Microsoft Exchange server. It can be assigned, for example, by running the following Exchange Management PowerShell cmdlet:
Add-RoleGroupMember “Organization Management” –Member “<user_account>”
To restore In-Place Hold Items public folder to the original location:
- If the In-Place Hold Items folder already exists, the user account that will be used for restore should have permissions to create, modify and delete items in it. To grant the required permissions, do the following in the Exchange admin center:
- In the feature pane on the left, select public folders, then select the In-Place Hold Items folder in the list and click Manage on the right.
- In the dialog displayed, make sure the required account is assigned Publishing Editor set of permissions for that folder.
- If that folder does not exist, then the user account should have permissions to create folders under the All Public Folders (root node). For that, do the following:
- In the Exchange admin center select public folders, then click the … button to set the root node permissions for the required user account.
- Make sure that Permission level is set to Custom, and select Create subfolders, Folder visible permissions.
Restore to a Mailbox
To restore to a mailbox, account used to connect to target should have corresponding access rights:
- If you plan to use the account that owns a mailbox on target Microsoft Exchange server, make sure it has Full Access for that mailbox.
Full Access can be granted, for example, through impersonation or through rights assignment with the following cmdlet:
Add-MailboxPermission –Identity “<target_mailbox>” -User “<user_account>” -AccessRights FullAccess –InheritanceType All
- If you plan to use the account that does not own a mailbox on target Microsoft Exchange server (for example, a service account), then access rights for target mailbox should be granted through Exchange impersonation.
For example, you can run the following cmdlet:
New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>" [-CustomRecipientScope "<scope>"]
To recall the assignment after the items are restored to target mailbox, you can run the following cmdlet:
Remove-ManagementRoleAssignment -Name "<role_name>"
The following cmdlet shows how you can narrow the group of users who will be assigned the appropriate role to access the target mailbox at restore. For that, it uses the CustomRecipientScope parameter, with sample Organizational Unit specified as the scope:
New-ManagementRoleAssignment -Name "Exchange Test" -Role ApplicationImpersonation -User "Test User" -CustomRecipientScope "spain.local/TargetUsers"
For more details on impersonation, please refer to MSDN (http://msdn.microsoft.com/en-us/library/bb204095.aspx).