This section describes required permissions for user accounts to be used when restoring data.
- A user account which is used to run Veeam Explorer for Microsoft Exchange requires Read and Write permissions for all files in a folder with the Exchange mailbox database.
- To restore folders or items back to the Microsoft Exchange server, the account you are using requires sufficient access privileges.
These privileges can be granted either through impersonation or by giving a user Full Access.
Consider the following:
Restore to Public Folder
- The account must own a mailbox on a target Microsoft Exchange server.
- The account must have an Organization Management role on a target Microsoft Exchange server. This role can be assigned via PowerShell cmdlet.
Add-RoleGroupMember “Organization Management” –Member “<user_account>”
To restore In-Place Hold Items public folder to the original location:
- If the In-Place Hold Items folder already exists, the user account that will be used for restore should have permissions to create, modify and delete items in it. To grant required permissions, do the following in the Exchange admin center:
- In the feature pane on the left, select public folders, then select the In-Place Hold Items folder in the list and click Manage on the right.
- In the dialog displayed, make sure the required account is assigned Publishing Editor set of permissions for that folder.
- If that folder does not exist, the user account must have permissions to create folders under the All Public Folders (root node). For that, do the following:
- In the Exchange admin center select public folders, then click the … button to set the root node permissions for the required user account.
- Make sure that Permission level is set to Custom and select Create subfolders, Folder visible permissions.
Restore to a Mailbox
- If you plan to use the account that owns a mailbox on target Microsoft Exchange server, make sure it has Full Access for that mailbox.
Full Access can be granted, for example, through impersonation or through rights assignment with the following cmdlet:
Add-MailboxPermission –Identity “<target_mailbox>” -User “<user_account>” -AccessRights FullAccess –InheritanceType All
- If you plan to use the account that does not own a mailbox on target Microsoft Exchange server (for example, a service account), then access rights for target mailbox should be granted through Exchange impersonation.
For example, you can run the following cmdlet:
New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>" [-CustomRecipientScope "<scope>"]
- After you recover items back to the target mailbox, you may recall the assignment by using either of the following cmdlets:
Remove-ManagementRoleAssignment -Identity <role_name>
The following cmdlet shows how to narrow the group of users whom will be assigned the appropriate role to access the target mailbox at restore. For that, it uses the CustomRecipientScope parameter, with sample Organizational Unit specified as the scope:
New-ManagementRoleAssignment -Name "Exchange Test" -Role ApplicationImpersonation -User "Test User" -CustomRecipientScope "spain.local/TargetUsers"