Discussions specific to the VMware vSphere hypervisor
ShawnKPERS
Enthusiast
Posts: 54
Liked: 4 times
Joined: Apr 29, 2011 3:55 pm
Full Name: Shawn Nix
Contact:

How to restore a mailbox without needing the users password

Post by ShawnKPERS » May 02, 2011 8:04 pm

I am currently testing using U-Air in V-Power to restore an email from our exchange 2010 backup into the users email mailbox. With a little bit of mucking around I got it to work, but the one part I found that may be a deal breaker is the fact that I need the uses AD login password to access the account from the backup. I would like to have it allow me to use administrator credentials to restore from any mailbox. Is this possible? And if so do I have to do something like give the administrator account full access to all mailboxes?

Gostev
SVP, Product Management
Posts: 24612
Liked: 3463 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: How to restore a mailbox without needing the users passw

Post by Gostev » May 02, 2011 8:45 pm

Hi Shawn, sure this is possible, but you need to grant administrator account permissions to access user mailboxes (this is disabled in Exchange by default, but can be easily enabled - you can look up how-tos on the internet, they vary depending on the Exchange version). In fact, most tools for granular Exchange recoveries require this change as a part of deployment process, in order to be able to restore data back into the user mailbox. Just remember to take new backup after you make the permission change. Thanks.

aevenot
Enthusiast
Posts: 31
Liked: 1 time
Joined: Jul 07, 2009 9:14 am
Full Name: aevenot
Contact:

Re: How to restore a mailbox without needing the users passw

Post by aevenot » May 03, 2011 10:18 am

Hi ShawnKPERS,

I'm searching for the same thing. I have add FullAccess for the Administrator to the user mailbox but it's not working.

Do you have find a way to make it work?

Vitaliy S.
Product Manager
Posts: 22860
Liked: 1538 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: How to restore a mailbox without needing the users passw

Post by Vitaliy S. » May 03, 2011 10:44 am

Basically all you need to do is to grant FullAccess for the admin account as it is described in these articles:
Grant Full Mailbox Rights to an Administrator on Exchange 2000/2003
Exchange 2007 access to all mailboxes for Administrator
Grant Full Access to All Mailboxes in Exchange 2010

If you've done that and still have no luck, don't hesitate to contact our technical team for further troubleshooting steps.

Gostev
SVP, Product Management
Posts: 24612
Liked: 3463 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: How to restore a mailbox without needing the users passw

Post by Gostev » May 03, 2011 10:49 am

Be sure to perform and then use the NEW backup of Exchange VM once you have set this up.

ShawnKPERS
Enthusiast
Posts: 54
Liked: 4 times
Joined: Apr 29, 2011 3:55 pm
Full Name: Shawn Nix
Contact:

Re: How to restore a mailbox without needing the users passw

Post by ShawnKPERS » May 03, 2011 11:48 am

I already tried the method that Vitaliy was nice enough to post for 2010 with little luck, but in the script I used a group instead of a user to grant full access. I will give it another shot with a single user account and report back my findings.

aevenot
Enthusiast
Posts: 31
Liked: 1 time
Joined: Jul 07, 2009 9:14 am
Full Name: aevenot
Contact:

Re: How to restore a mailbox without needing the users passw

Post by aevenot » May 03, 2011 12:40 pm

I already tried the method also and it doesn't work. I already tried the command bellow with no luck too.

Get-MailboxDatabase -identity "Mailbox Database" | Add-ADPermission -user administrator -ExtendedRights Receive-As, Send-As

aevenot
Enthusiast
Posts: 31
Liked: 1 time
Joined: Jul 07, 2009 9:14 am
Full Name: aevenot
Contact:

Re: How to restore a mailbox without needing the users passw

Post by aevenot » May 03, 2011 12:43 pm

I have opened a case but the functionally is in beta version so I think it will be "best effort".

tsightler
VP, Product Management
Posts: 5399
Liked: 2229 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: How to restore a mailbox without needing the users passw

Post by tsightler » May 03, 2011 2:22 pm 1 person likes this post

Is the account you're using a member of "Domain Admins", "Enterprise Admins", "Exchange Oragnizaion Admins" or "Administrators"? If so, you have to remove the explicit "Deny" permission for these groups as well. The "Deny" permission overrides all other rights so it has to be removed.

The way most brick level Exchange backup software works is to have you to create a relatively unprivileged account (in many cases simply "Domain Guest" or some other very limited account group), but give that account "Full Access" rights to the mailbox. We did this years ago with another backup solution, creating an account called "Postmaster". For the legacy tool this account performed the backup of the mailbox data, as well as restores, however, with Veeam we use this account only for restores and it works fine.

We use a simple web based password manager that supports automatic password changes for this account (changed daily) and we "share" this password out to admins who might need to perform restores. The tool audits any access to this password, emailing the team whenever the password is viewed. This provides us with many advantages, including the fact that admins don't have continuous, unaudited access to user mailboxes just so that they can perform occasional restores.

aevenot
Enthusiast
Posts: 31
Liked: 1 time
Joined: Jul 07, 2009 9:14 am
Full Name: aevenot
Contact:

Re: How to restore a mailbox without needing the users passw

Post by aevenot » May 03, 2011 3:09 pm

I have tried by using a standard account, not an admin account with no luck.

ShawnKPERS
Enthusiast
Posts: 54
Liked: 4 times
Joined: Apr 29, 2011 3:55 pm
Full Name: Shawn Nix
Contact:

Re: How to restore a mailbox without needing the users passw

Post by ShawnKPERS » May 04, 2011 11:36 am

Same here, I created a Joe Blow account that is only a member of the Domain Users group with no luck. What permission is Veeam looking for? I know the accounts that I have been testing with have full access to the mailboxes I am trying to recover, so there must be some additional right that is required. The only thing I can think of is the "send as" right since the backup exchange will need some way of sending the email to the production exchange.

Gostev
SVP, Product Management
Posts: 24612
Liked: 3463 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: How to restore a mailbox without needing the users passw

Post by Gostev » May 04, 2011 1:03 pm

ShawnKPERS wrote:the backup exchange will need some way of sending the email to the production exchange.
This does not actually happen when using Exchange AIR wizard. All restores are done through the public API (specific API depends on Exchange version).

Full Mailbox Access right should really be sufficient, if this does not work I think best would be to let our devs look at this via webex.

aevenot
Enthusiast
Posts: 31
Liked: 1 time
Joined: Jul 07, 2009 9:14 am
Full Name: aevenot
Contact:

A

Post by aevenot » May 04, 2011 1:16 pm

FullAccess on the user mailbox works well with outlook or OWA but it doesn't with Veeam . U-AIR Exchange is still on beta version, so I think this will be fix on the final version.

Gostev
SVP, Product Management
Posts: 24612
Liked: 3463 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: How to restore a mailbox without needing the users passw

Post by Gostev » May 04, 2011 2:26 pm 1 person likes this post

Hi, it looks like in case of Exchange 2010, you additionally need to setup impersonation:
http://msdn.microsoft.com/en-us/library ... 40%29.aspx

ShawnKPERS
Enthusiast
Posts: 54
Liked: 4 times
Joined: Apr 29, 2011 3:55 pm
Full Name: Shawn Nix
Contact:

Re: How to restore a mailbox without needing the users passw

Post by ShawnKPERS » May 04, 2011 5:40 pm

Gostev,

You were right about the "Send As" permission, It was a shot in the dark but after testing I still got the same results. I will look into the site you posted about impersonation. Also I put in a support ticket this morning so if I get a good answer I will post it here.

aevenot
Enthusiast
Posts: 31
Liked: 1 time
Joined: Jul 07, 2009 9:14 am
Full Name: aevenot
Contact:

Re: How to restore a mailbox without needing the users passw

Post by aevenot » May 05, 2011 3:55 pm

My Exchange administrator has done a failback on the exchange server to 2007 for other reason.

So I can confirm that Full Access right on the mailbox is enough to restore Exchange 2007 mailboxes.

Gostev
SVP, Product Management
Posts: 24612
Liked: 3463 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: How to restore a mailbox without needing the users passw

Post by Gostev » May 05, 2011 6:55 pm

Thanks. That's right. Impersonation requirements is the new thing added into Exchange 2010. But I why would anyone want to failback to Exchange 2007 I wonder? Sorry for slight offtopic.

aevenot
Enthusiast
Posts: 31
Liked: 1 time
Joined: Jul 07, 2009 9:14 am
Full Name: aevenot
Contact:

Re: How to restore a mailbox without needing the users passw

Post by aevenot » May 05, 2011 8:02 pm

I want to let you know that we not failback because of veeam but because of requirements for a product that done migration from lotus domino. We are in a migrating phase so the exchange server is not in production, we can do all we want. Migration to Exhange 2010 will be done next month.

Gostev
SVP, Product Management
Posts: 24612
Liked: 3463 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: How to restore a mailbox without needing the users passw

Post by Gostev » May 05, 2011 8:16 pm

Ah, that explains. Thanks.

aevenot
Enthusiast
Posts: 31
Liked: 1 time
Joined: Jul 07, 2009 9:14 am
Full Name: aevenot
Contact:

Re: How to restore a mailbox without needing the users passw

Post by aevenot » May 05, 2011 9:23 pm

I've done the following command on my exchange server in my testing lab, thanks to gostev it's working like a charm.

Code: Select all

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:administrator
thanks again, I can my close my case now.

Gostev
SVP, Product Management
Posts: 24612
Liked: 3463 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: How to restore a mailbox without needing the users passw

Post by Gostev » May 05, 2011 10:36 pm

Great to hear, and thanks for taking time to update this topic with confirmation.

aevenot
Enthusiast
Posts: 31
Liked: 1 time
Joined: Jul 07, 2009 9:14 am
Full Name: aevenot
Contact:

Re: How to restore a mailbox without needing the users passw

Post by aevenot » May 09, 2011 8:15 am

I have found a way to make it work on my Exchange 2010, I'm looking now for doing the same thing on my Exchange 2007 server.

ShawnKPERS
Enthusiast
Posts: 54
Liked: 4 times
Joined: Apr 29, 2011 3:55 pm
Full Name: Shawn Nix
Contact:

Re: How to restore a mailbox without needing the users passw

Post by ShawnKPERS » May 09, 2011 1:58 pm

I just got it to work in 2010 as well!!! I used the same command aevenot posted. Thanks Gostev for recommending impersonations.

findend
Lurker
Posts: 2
Liked: never
Joined: Sep 23, 2011 10:40 am

Re: How to restore a mailbox without needing the users passw

Post by findend » Sep 23, 2011 12:57 pm

Hello

I'm supposed to create the appropriate Windows account in order to backup and restore Exchange 2010-mailboxes.

Unfortunately, I didn't find a set of appropriate permissions for this account, neither in the 5.02 Users Guide nor in the 5.02 ex-air release notes, nor in the online-FAQ, but I found this thread.

What is the conclusion of those two pages of writing? It's looks confusing enough to me.
Which are the necessary permissions for this account having Exchange 2010 backed up and Mailboxes restored?
Is there any membership to add to this account as well?

Or is it better to have two accounts, one to backup and one to restore? If yes, can Veeam handle that and what permissions are necessary for each account to have them work properly?

I list all the informations I found:
Gostev
http://forums.veeam.com/viewtopic.php?f ... ion#p30653

grant administrator account permissions to access user mailboxes
Vitaly S.
http://forums.veeam.com/viewtopic.php?f ... ion#p30669

Basically all you need to do is to grant FullAccess for the admin account as it is described in these articles:
http://blog.xiquest.com/2010/01/grant-f ... ange-2010/

-> which states the following cmdlets

Code: Select all

Get-MailboxDatabase -identity “[mailbox database name]” | Add-ADPermission -user [username] -AccessRights GenericAll
-> in the comments I find another cmdlet

Code: Select all

Get-MailboxDatabase | Add-ADPermission -user "USER/GROUP" -ExtendedRights Receive-as, ms-Exch-Store-Admin -InheritanceType All
tsightler
http://forums.veeam.com/viewtopic.php?f ... ion#p30687

Is the account you're using a member of "Domain Admins", "Enterprise Admins", "Exchange Oragnizaion Admins" or "Administrators"? If so, you have to remove the explicit "Deny" permission for these groups as well. The "Deny" permission overrides all other rights so it has to be removed.
Gostev
http://forums.veeam.com/viewtopic.php?f ... ion#p30751

Hi, it looks like in case of Exchange 2010, you additionally need to setup impersonation:
http://msdn.microsoft.com/en-us/library ... 40%29.aspx

-> which leads to the next cmdlet

Code: Select all

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount
shawnKPERS
http://forums.veeam.com/viewtopic.php?f ... ion#p30762

Gostev,
You were right about the "Send As" permission, It was a shot in the dark but after testing I still got the same results. I will look into the site you posted about impersonation. Also I put in a support ticket this morning so if I get a good answer I will post it here.

->I don't understand to what shawnKPERS is refering to
aevenot
http://forums.veeam.com/viewtopic.php?f ... =15#p30838

I've done the following command on my exchange server in my testing lab, thanks to gostev it's working like a charm.

Code: Select all

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:administrator

Which of the above cmdlets are really necessary and which can I skip?
What else is necessary to make the Veeam account to backup Exchange 2010 and restore mailboxes?

Thanks for your help!

findend
Lurker
Posts: 2
Liked: never
Joined: Sep 23, 2011 10:40 am

Re: How to restore a mailbox without needing the users passw

Post by findend » Sep 28, 2011 9:00 am

Sorry, there is a mistake in my previous post, I only need the account to restore exchange 2010-mailboxes.
Backup is done some other way.

Thanks

MikeH
Lurker
Posts: 1
Liked: 1 time
Joined: Jul 29, 2011 3:53 pm
Contact:

Exchange U-AIR credentials

Post by MikeH » Oct 04, 2011 7:02 pm 1 person likes this post

[merged]

I'm trying to run the Exchange U_AIR wizard for Exchange 2010 SP1. I have been able to make it through to the pop-up screen that asks for "Backup Mailbox Credentials". I've tried all the combinations I can think of, but nothing works. Any suggestions on where I would find the username and password or where it is managed?
Thanks

Ozge
Lurker
Posts: 1
Liked: never
Joined: Jul 24, 2012 8:56 am
Full Name: Ozge Ozkaya
Contact:

Creditentials Error on Exchange Single Item Restore

Post by Ozge » Jul 24, 2012 9:19 am

[merged]

We are using Veeam Backup and replication 6.1.

While we are performing Exchange Single Item Restore, we are prompted to provide the creditentials. But in no way it accepts our username and password. Virtual Lab and Sure BAck up are all running.

How can we preceed at this point?

Regards.

Image

Cokovic
Expert
Posts: 295
Liked: 59 times
Joined: Sep 06, 2011 8:45 am
Full Name: Haris Cokovic
Contact:

Re: How to restore a mailbox without needing the users passw

Post by Cokovic » Jul 24, 2012 11:18 am 1 person likes this post

As described you need to allow the administrator account or an dedicated account for this purpose access rights to the users mailbox (or all mailboxes). Instead you could try to authenticate with the user credentials itself.

A sidenote:
Once i had the problem that my Veeam backupserver wasn't located in the same domain as the production exchange server and there was no trust relationship between these two domains. Veeam server was a member of a testdomain. And i was also stuck in the credentials window. Always failed with authentication regardless which credentials were used. Moving the server into the same domain as the backed up Exchange server did the trick.

jveldhui
Lurker
Posts: 2
Liked: never
Joined: Sep 09, 2011 1:08 pm
Full Name: Jaap van Veldhuizen
Contact:

Re: Creditentials Error on Exchange Single Item Restore

Post by jveldhui » Aug 17, 2012 1:50 pm

Ozge wrote:[merged]

We are using Veeam Backup and replication 6.1.

While we are performing Exchange Single Item Restore, we are prompted to provide the creditentials. But in no way it accepts our username and password. Virtual Lab and Sure BAck up are all running.

How can we preceed at this point?

Regards.

Image

I am stuck at the exact same point. What ever credentials I try to use, I won't get through. Not even with the credentials corresponding to the mailbox.
Can anyone please advise?

Vitaliy S.
Product Manager
Posts: 22860
Liked: 1538 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: How to restore a mailbox without needing the users passw

Post by Vitaliy S. » Aug 18, 2012 9:09 pm

Jaap, have you tried to apply the recommendations discussed in this thread?

Post Reply

Who is online

Users browsing this forum: No registered users and 18 guests