Help Center
Choose product document...
Veeam Backup & Replication 9.5
Veeam Backup Explorers User Guide

Required Permissions

This section describes permissions and access rights required for correct operation of Veeam Explorer for Microsoft Exchange used as part of Veeam Backup & Replication. Permissions and access rights required for the Veeam Explorer operation as part of Veeam Backup for Microsoft Office are described here.

  1. The account under which you run Veeam Explorer for Microsoft Exchange requires Read and Write permissions to all files in a folder with the Exchange mailbox database.
  2. To restore folder(s)/item(s) to Microsoft Exchange server, the account used for connection to that server will need sufficient access rights, as described below. They can be granted using the following methods: through impersonation, or by providing such a user with Full Access to the mailbox.

Required Permissions Important!

Consider the following:

  • If the account you plan to use for the restore owns a mailbox on the target Microsoft Exchange server, then you can use any method (impersonation or mailbox access provisioning).
  • If the account you plan to use for the restore does not own a mailbox on the target Microsoft Exchange server, then access rights must be granted using Exchange impersonation.

Restore to a Public Folder

  1. The account that is used for restore to a public folder should own a mailbox on target Microsoft Exchange server.
  2. This account should have an Organization Management role on target Microsoft Exchange server. It can be assigned, for example, by running the following Exchange Management PowerShell cmdlet:

Add-RoleGroupMember “Organization Management” –Member “<user_account>”

To restore In-Place Hold Items public folder to the original location:

  • If the In-Place Hold Items folder already exists, the user account that will be used for restore should have permissions to create, modify and delete items in it. To grant the required permissions, do the following in the Exchange admin center:
  1. In the feature pane on the left, select public folders, then select the In-Place Hold Items folder in the list and click Manage on the right.
  2. In the dialog displayed, make sure the required account is assigned Publishing Editor set of permissions for that folder.
  • If that folder does not exist, then the user account should have permissions to create folders under the All Public Folders (root node). For that, do the following:
  1. In the Exchange admin center select public folders, then click the button to set the root node permissions for the required user account.
  2. Make sure that Permission level is set to Custom, and select Create subfolders, Folder visible permissions.

Restore to a Mailbox

To restore to a mailbox, account used to connect to target should have corresponding access rights:

  • If you plan to use the account that owns a mailbox on target Microsoft Exchange server, make sure it has Full Access for that mailbox.
    Full Access can be granted, for example, through impersonation or through rights assignment with the following cmdlet:

Add-MailboxPermission –Identity “<target_mailbox>” -User “<user_account>” -AccessRights FullAccess –InheritanceType All

  • If you plan to use the account that does not own a mailbox on target Microsoft Exchange server (for example, a service account), then access rights for target mailbox should be granted through Exchange impersonation.
    For example, you can run the following cmdlet:

New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>" [-CustomRecipientScope "<scope>"]

  • After you recover items back to the target mailbox, you may recall the assignment by using either of the following cmdlets:

Remove-ManagementRoleAssignment <role_name>

Remove-ManagementRoleAssignment -Identity <role_name>

Example

The following cmdlet shows how you can narrow the group of users who will be assigned the appropriate role to access the target mailbox at restore. For that, it uses the CustomRecipientScope parameter, with sample Organizational Unit specified as the scope:

New-ManagementRoleAssignment -Name "Exchange Test" -Role ApplicationImpersonation -User "Test User" -CustomRecipientScope "spain.local/TargetUsers"

Required Permissions Note:

For more details on impersonation, please refer to MSDN (http://msdn.microsoft.com/en-us/library/bb204095.aspx).

Veeam Large Logo

User Guide for VMware vSphere

User Guide for Microsoft Hyper-V

Enterprise Manager User Guide

Veeam Cloud Connect Guide

Veeam Agent Management Guide

Veeam Backup Explorers User Guide

PowerShell Reference

RESTful API Reference

Veeam Backup FREE Edition User Guide

Veeam Backup for Microsoft Office 365

Veeam ONE Documentation

Veeam Agent for Windows Documentation

Veeam Agent for Linux Documentation

Veeam Management Pack Documentation