Security requirements for backup and restore operations

For Data Protection for Exchange Server security, users who are logged on to the Exchange Server must have role-based access control (RBAC) permissions to access mailboxes and to complete mailbox restore tasks.

If your user name is authorized by the security policy in your organization, you can add user names in the Exchange Organization Management role group or subgroups. Users whose name is in the Exchange Organization Management role group or subgroups can complete mailbox restore operations. Users whose name is not in the Exchange Organization Management role group or subgroups might experience slower performance when completing restore operations.

You must define a minimum set of management roles and role scope for the Exchange user.
  • Set the role and scope:
    Management roles
    "Active Directory Permissions", "Databases", " Disaster Recovery", "Mailbox Import Export", "View-Only Configuration", and "View-Only Recipients".

    To restore an Exchange 2013 public folder mailbox, the Exchange user must also have the Public Folders management role. To restore mail to a Unicode PST file, the Exchange user must have the Mailbox Import Export management role.

    The following Exchange Powershell cmdlet sets RBAC permissions: 
    New-RoleGroup -Name "My Admins" -Roles "Active Directory Permissions", "Databases", 
    "Disaster Recovery", "Mailbox Import Export", "Public Folders", 
    "View-Only Configuration", "View-Only Recipients" -Members operator1

    The preceding example creates a new group, My Admins, with minimum roles to run Data Protection for Exchange Server, and assigns user operator1 to this group. The operator1 user can run Data Protection for Exchange Server but with limited Exchange privileges, for example, the user cannot create or remove a user mailbox.

    Management role scope
    Ensure that the following Exchange objects are in the management role scope for the user name who is logged on to the Exchange Server:
    • The Exchange Server that contains the required data
    • The recovery database that Data Protection for Exchange Server creates
    • The database that contains the active mailbox
    • The database that contains the active mailbox of the user who completes the restore operation
  • Verify that the Exchange user name is a member of a local Administrator group, and has an active Exchange mailbox in the domain.

    By default, Windows adds the Exchange Organization Administrators group to other security groups, including the local Administrators group. For Exchange users who are not members of the Exchange Organization Management group, you must manually add the user account to the local Administrators group. By using the Local Users and Groups tool on the computer of the domain member, select Administrative tools> Computer Management > Local Users and Groups tool. On a domain controller computer that does not have a local Administrators group or Local Users and Groups tool, manually add the user account to the Administrators group in the domain by selecting Administrative tools > Active Directory Users and Computers tool.