Comprehensive data protection for all workloads
Post Reply
d.artzen
Enthusiast
Posts: 96
Liked: 40 times
Joined: Jan 14, 2022 9:16 am
Full Name: Daniel Artzen
Location: Germany
Contact:

Needed Permissions for restore of a folder in an Exchange Mailbox

Post by d.artzen »

Hello together,

I have a short question about the needed permissions to restore elements of an Exchange 2019 Mailbox. The Exchange is on a VMware VM. One of our users had "misplaced" a folder in a group mailbox, so I was asked to restore it from backup. Not a problem, since in the last backup it was still there. This Mailbox was not created as a shared mailbox, it is a normal one and the users that work with this are given "Full-Access" Rights. So when I selected "restore to" I gave the requested information and was then asked for credentials. But it would not connect with our domain admin account, I had to use the credentials for the mailbox itself (which I fortunately knew). I find this strange, since Veeam was able to do a backup with the domain admin credentials (given in the job for Application Aware Processing and I could open it in Veeam Explorer for Exchange just fine.

So the question is, would the domain admin also need to have "Full-Access" Permissions for all the Mailboxes for this kind of restore or is there any kind of option that I am missing here?

Thanks in Advance for your help.
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Needed Permissions for restore of a folder in an Exchange Mailbox

Post by Mildur »

Hi Daniel

When you do the backup, permissions for the mailboxes are not required, because we just backup blocks from the disk and do not communicate with the exchange server for reading the data. We don't need to access the mailbox content for the backup.
We just use local admin permissions to deploy our little runtime agent for application aware processing and perform the log truncation after the backup was done.

When you do the restore, we must write content into the mailbox. So permission is required todo that.

There are two ways.
Either the provided credentials have full access to the mailbox or the provided credentials has the "application impersonation"-role.

Thanks
Fabian
Product Management Analyst @ Veeam Software
d.artzen
Enthusiast
Posts: 96
Liked: 40 times
Joined: Jan 14, 2022 9:16 am
Full Name: Daniel Artzen
Location: Germany
Contact:

Re: Needed Permissions for restore of a folder in an Exchange Mailbox

Post by d.artzen »

Hi Fabian,

thank you for the fast reply and the information. That explains a lot, until now I don't think we ever had to do a restore of Items in a Mailbox, so this is not implemented at the moment.

Best regards
Daniel
d.artzen
Enthusiast
Posts: 96
Liked: 40 times
Joined: Jan 14, 2022 9:16 am
Full Name: Daniel Artzen
Location: Germany
Contact:

Re: Needed Permissions for restore of a folder in an Exchange Mailbox

Post by d.artzen »

Hi Fabian,

I have now created a specific account "mailrestore" and configured the application impersonation role as described in the linked article. Works good.
Just one thing I am unsure: In the Veeam Explorer for Exchange there is the option "compare with production". If I chose that it first tries the connection with "domain credentials" (I guess the domain admin but not sure since it does not show any further information) and then I get an "Authentication failed" error. If I confirm that error, I am asked for credentials, where I can then enter the account I gave the role. It then works, but is there an option to save this credentials in Veeam, so it uses these instead of others? Or is this indeed the desired behaviour?

Thanks for your help.

Best regards
Daniel
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Needed Permissions for restore of a folder in an Exchange Mailbox

Post by Mildur »

Hi Daniel

I'm glad you find a way for your environment.
Veeam Explorers uses the currently logged-in user account as the default user to authenticate against the exchange server. You should see the username and domain/hostname in the Wizard.

I checked for any registry value, but the default selection cannot be changed. The credentials must be provided each time you start a comparison.

Thanks
Fabian
Product Management Analyst @ Veeam Software
d.artzen
Enthusiast
Posts: 96
Liked: 40 times
Joined: Jan 14, 2022 9:16 am
Full Name: Daniel Artzen
Location: Germany
Contact:

Re: Needed Permissions for restore of a folder in an Exchange Mailbox

Post by d.artzen »

Hi Fabian,

thanks for checking. Our backup server is not part of the domain and we only use the B&R console on the server itself, so we log in to the console with the local administrator account of the B&R Server, which naturally does not have any rights on any of the servers in the domain.
I don't have a problem with entering the credentials for a compare or a restore. It's just that the first attempt is guaranteed to fail in our case and displaying the error message. I would like to prevent at lease that, but if I understood correctly, this is not possible. That only happens with "compare" by the way, when trying to restore something to the Mailbox I am directly asked for the credentials without that first failed attempt. So maybe this could be changed in the future so the explorer always asks for the relevant credentials.

Best regards
Daniel
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Needed Permissions for restore of a folder in an Exchange Mailbox

Post by Mildur »

I don't have a problem with entering the credentials for a compare or a restore. It's just that the first attempt is guaranteed to fail in our case and displaying the error message.
The first attempt happens after I decided which credentials I want to use.
In my lab, if I click on Compare with production, the connection wizards open. Then I have to choose which user account and which domain I want to connect to.
I never get any error message, only if I choose the wrong user of course.

If you get the error message instantly whiteout choosing any credentials, then it would make sense to check that with our support.
Product Management Analyst @ Veeam Software
Post Reply

Who is online

Users browsing this forum: Amazon [Bot] and 34 guests