Truncate Exchange logs, what type of permission?

[jweave]

I am looking to enable Application Aware on our exchange server, so we can truncate the logs. I would like to set up a user account to be able to handle that request. What type of permissions does that account need to have in order to process that?

Thanks

[foggy]

Account with local administrator rights is required.

[jweave]

Thanks for the quick reply. I did create a local account that has local admin rights, as well as verifying it. I am trying to log in as ComputerName\UserName with the password, and I am getting a "Do not have access rights" during the credential test. The user is a part of the local admin group too.

[alanbolte]

If this is your first time using the credentials tester, the output might be a little unclear. Does it show status for the VM in the left-hand column as 'warning' or 'error'? 'Warning' is more or less normal, because if you look closely there are two tests - connecting to guest OS via RPC, and connecting to guest OS via VIX. You only need one connection method for AAIP to work, but you get a warning from the tester if they don't both work.

"Do not have access rights" sounds like VIX isn't working.
RPC requires network connectivity from the backup server to the guest OS, as well as local administrator rights.
VIX does not require network connectivity, but requires either that UAC is completely disabled or that you specifically use the named "Administrator" account with SID ending in -500; in some cases you have to use that account regardless of UAC.

Note that you can use domain accounts, they just have to have appropriate local permissions.

[LMS]

Hi,

Case #0244235

We are trying to provide the lease required permission for Exchange 2016 application aware backup and restore process.

We created a new role group with roles ApplicationImpersonation, View-Only Configuration & View-Only recipients. As of now for testing the backup, we created a dedicated account and added to the newly created Role group as well with Organization management role group. Also added this account to local administrators group on both the Exchange 2016 MB servers.

With security point of view , here do we need to provide all the above mentioned permissions with the account used for application aware backup? Shall we remove the permission Organization management Role group for this account or it’s required? Also what about local admin privilege for this account?

Do we get a KB article / recommendation describing the required permissions for Exchange application aware backup?

Thanks in advance

[PTide]

Hi,

Account with local administrator rights is required for AAIP to succeed.

As for restore:

Full access to Microsoft Exchange database and its log files for item recovery. The account you plan to use for recovery should have both read and write permissions to all files in the folder with the database.

Also, it seems that your support case number is missing one digit, would you double-check that please?

Thanks