How to restore a mailbox without needing the users password

[ShawnKPERS]

I am currently testing using U-Air in V-Power to restore an email from our exchange 2010 backup into the users email mailbox. With a little bit of mucking around I got it to work, but the one part I found that may be a deal breaker is the fact that I need the uses AD login password to access the account from the backup. I would like to have it allow me to use administrator credentials to restore from any mailbox. Is this possible? And if so do I have to do something like give the administrator account full access to all mailboxes?

[Gostev]

Hi Shawn, sure this is possible, but you need to grant administrator account permissions to access user mailboxes (this is disabled in Exchange by default, but can be easily enabled - you can look up how-tos on the internet, they vary depending on the Exchange version). In fact, most tools for granular Exchange recoveries require this change as a part of deployment process, in order to be able to restore data back into the user mailbox. Just remember to take new backup after you make the permission change. Thanks.

[aevenot]

Hi ShawnKPERS,

I'm searching for the same thing. I have add FullAccess for the Administrator to the user mailbox but it's not working.

Do you have find a way to make it work?

[Vitaliy S.]

Basically all you need to do is to grant FullAccess for the admin account as it is described in these articles:
Grant Full Mailbox Rights to an Administrator on Exchange 2000/2003
Exchange 2007 access to all mailboxes for Administrator
Grant Full Access to All Mailboxes in Exchange 2010

If you've done that and still have no luck, don't hesitate to contact our technical team for further troubleshooting steps.

[Gostev]

Be sure to perform and then use the NEW backup of Exchange VM once you have set this up.

[ShawnKPERS]

I already tried the method that Vitaliy was nice enough to post for 2010 with little luck, but in the script I used a group instead of a user to grant full access. I will give it another shot with a single user account and report back my findings.

[aevenot]

I already tried the method also and it doesn't work. I already tried the command bellow with no luck too.

Get-MailboxDatabase -identity "Mailbox Database" | Add-ADPermission -user administrator -ExtendedRights Receive-As, Send-As

[aevenot]

I have opened a case but the functionally is in beta version so I think it will be "best effort".

[tsightler]

Is the account you're using a member of "Domain Admins", "Enterprise Admins", "Exchange Oragnizaion Admins" or "Administrators"? If so, you have to remove the explicit "Deny" permission for these groups as well. The "Deny" permission overrides all other rights so it has to be removed.

The way most brick level Exchange backup software works is to have you to create a relatively unprivileged account (in many cases simply "Domain Guest" or some other very limited account group), but give that account "Full Access" rights to the mailbox. We did this years ago with another backup solution, creating an account called "Postmaster". For the legacy tool this account performed the backup of the mailbox data, as well as restores, however, with Veeam we use this account only for restores and it works fine.

We use a simple web based password manager that supports automatic password changes for this account (changed daily) and we "share" this password out to admins who might need to perform restores. The tool audits any access to this password, emailing the team whenever the password is viewed. This provides us with many advantages, including the fact that admins don't have continuous, unaudited access to user mailboxes just so that they can perform occasional restores.

[aevenot]

I have tried by using a standard account, not an admin account with no luck.

[ShawnKPERS]

Same here, I created a Joe Blow account that is only a member of the Domain Users group with no luck. What permission is Veeam looking for? I know the accounts that I have been testing with have full access to the mailboxes I am trying to recover, so there must be some additional right that is required. The only thing I can think of is the "send as" right since the backup exchange will need some way of sending the email to the production exchange.

[Gostev]

the backup exchange will need some way of sending the email to the production exchange.

This does not actually happen when using Exchange AIR wizard. All restores are done through the public API (specific API depends on Exchange version).

Full Mailbox Access right should really be sufficient, if this does not work I think best would be to let our devs look at this via webex.

[aevenot]

FullAccess on the user mailbox works well with outlook or OWA but it doesn't with Veeam . U-AIR Exchange is still on beta version, so I think this will be fix on the final version.

[Gostev]

Hi, it looks like in case of Exchange 2010, you additionally need to setup impersonation:
http://msdn.microsoft.com/en-us/library ... 40%29.aspx

[ShawnKPERS]

Gostev,

You were right about the "Send As" permission, It was a shot in the dark but after testing I still got the same results. I will look into the site you posted about impersonation. Also I put in a support ticket this morning so if I get a good answer I will post it here.

[aevenot]

My Exchange administrator has done a failback on the exchange server to 2007 for other reason.

So I can confirm that Full Access right on the mailbox is enough to restore Exchange 2007 mailboxes.

[Gostev]

Thanks. That's right. Impersonation requirements is the new thing added into Exchange 2010. But I why would anyone want to failback to Exchange 2007 I wonder? Sorry for slight offtopic.

[aevenot]

I want to let you know that we not failback because of veeam but because of requirements for a product that done migration from lotus domino. We are in a migrating phase so the exchange server is not in production, we can do all we want. Migration to Exhange 2010 will be done next month.

[Gostev]

Ah, that explains. Thanks.

[aevenot]

I've done the following command on my exchange server in my testing lab, thanks to gostev it's working like a charm.

Code: Select all

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:administrator

thanks again, I can my close my case now.

[Gostev]

Great to hear, and thanks for taking time to update this topic with confirmation.

[aevenot]

I have found a way to make it work on my Exchange 2010, I'm looking now for doing the same thing on my Exchange 2007 server.

[ShawnKPERS]

I just got it to work in 2010 as well!!! I used the same command aevenot posted. Thanks Gostev for recommending impersonations.

[findend]

Hello

I'm supposed to create the appropriate Windows account in order to backup and restore Exchange 2010-mailboxes.

Unfortunately, I didn't find a set of appropriate permissions for this account, neither in the 5.02 Users Guide nor in the 5.02 ex-air release notes, nor in the online-FAQ, but I found this thread.

What is the conclusion of those two pages of writing? It's looks confusing enough to me.
Which are the necessary permissions for this account having Exchange 2010 backed up and Mailboxes restored?
Is there any membership to add to this account as well?

Or is it better to have two accounts, one to backup and one to restore? If yes, can Veeam handle that and what permissions are necessary for each account to have them work properly?

I list all the informations I found:

Gostev
http://forums.veeam.com/viewtopic.php?f ... ion#p30653

grant administrator account permissions to access user mailboxes

Vitaly S.
http://forums.veeam.com/viewtopic.php?f ... ion#p30669

Basically all you need to do is to grant FullAccess for the admin account as it is described in these articles:
http://blog.xiquest.com/2010/01/grant-f ... ange-2010/

-> which states the following cmdlets

Code: Select all

Get-MailboxDatabase -identity “[mailbox database name]” | Add-ADPermission -user [username] -AccessRights GenericAll

-> in the comments I find another cmdlet

Code: Select all

Get-MailboxDatabase | Add-ADPermission -user "USER/GROUP" -ExtendedRights Receive-as, ms-Exch-Store-Admin -InheritanceType All

tsightler
http://forums.veeam.com/viewtopic.php?f ... ion#p30687

Is the account you're using a member of "Domain Admins", "Enterprise Admins", "Exchange Oragnizaion Admins" or "Administrators"? If so, you have to remove the explicit "Deny" permission for these groups as well. The "Deny" permission overrides all other rights so it has to be removed.

Gostev
http://forums.veeam.com/viewtopic.php?f ... ion#p30751

Hi, it looks like in case of Exchange 2010, you additionally need to setup impersonation:
http://msdn.microsoft.com/en-us/library ... 40%29.aspx

-> which leads to the next cmdlet

Code: Select all

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount

shawnKPERS
http://forums.veeam.com/viewtopic.php?f ... ion#p30762

Gostev,
You were right about the "Send As" permission, It was a shot in the dark but after testing I still got the same results. I will look into the site you posted about impersonation. Also I put in a support ticket this morning so if I get a good answer I will post it here.

->I don't understand to what shawnKPERS is refering to

aevenot
http://forums.veeam.com/viewtopic.php?f ... =15#p30838

I've done the following command on my exchange server in my testing lab, thanks to gostev it's working like a charm.

Code: Select all

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:administrator

Which of the above cmdlets are really necessary and which can I skip?
What else is necessary to make the Veeam account to backup Exchange 2010 and restore mailboxes?

Thanks for your help!

[findend]

Sorry, there is a mistake in my previous post, I only need the account to restore exchange 2010-mailboxes.
Backup is done some other way.

Thanks

[MikeH]

[merged]

I'm trying to run the Exchange U_AIR wizard for Exchange 2010 SP1. I have been able to make it through to the pop-up screen that asks for "Backup Mailbox Credentials". I've tried all the combinations I can think of, but nothing works. Any suggestions on where I would find the username and password or where it is managed?
Thanks

[Ozge]

[merged]

We are using Veeam Backup and replication 6.1.

While we are performing Exchange Single Item Restore, we are prompted to provide the creditentials. But in no way it accepts our username and password. Virtual Lab and Sure BAck up are all running.

How can we preceed at this point?

Regards.

[Cokovic]

As described you need to allow the administrator account or an dedicated account for this purpose access rights to the users mailbox (or all mailboxes). Instead you could try to authenticate with the user credentials itself.

A sidenote:
Once i had the problem that my Veeam backupserver wasn't located in the same domain as the production exchange server and there was no trust relationship between these two domains. Veeam server was a member of a testdomain. And i was also stuck in the credentials window. Always failed with authentication regardless which credentials were used. Moving the server into the same domain as the backed up Exchange server did the trick.

[jveldhui]

[merged]

We are using Veeam Backup and replication 6.1.

While we are performing Exchange Single Item Restore, we are prompted to provide the creditentials. But in no way it accepts our username and password. Virtual Lab and Sure BAck up are all running.

How can we preceed at this point?

Regards.

I am stuck at the exact same point. What ever credentials I try to use, I won't get through. Not even with the credentials corresponding to the mailbox.
Can anyone please advise?

[Vitaliy S.]

Jaap, have you tried to apply the recommendations discussed in this thread?