For Tivoli® Storage FlashCopy® Manager security, users who are logged on to the Exchange Server must have role-based access control (RBAC) permissions to access mailboxes and to complete mailbox restore tasks.
If you are authorized by the security policy in your organization, add users in the Exchange Organization Management role group or subgroups. Users in the Exchange Organization Management role group or subgroups have sufficient privileges to optimally complete mailbox restore operations. Users who are not in the Exchange Organization Management role group or subgroups might experience slower performance.
To restore an Exchange 2013 public folder mailbox, the Exchange user must also have the Public Folders management role. To restore mail to a Unicode PST file, the Exchange user must have the Mailbox Import Export management role.
New-RoleGroup -Name "My Admins" -Roles "Active Directory Permissions", "Databases",
"Disaster Recovery", "Mailbox Import Export", "Public Folders",
"View-Only Configuration", "View-Only Recipients" -Members operator1
The preceding example creates a new group, My Admins, with minimum roles to run Tivoli Storage FlashCopy Manager, and assigns user operator1 to this group. The operator1 user can run Tivoli Storage FlashCopy Manager but with limited Exchange privileges, for example, the user cannot create or remove a user mailbox.
By default, Windows adds the Exchange Organization Administrators group to other security groups, including the local Administrators group. For Exchange users who are not members of the Exchange Organization Management group, you must manually add the user account to the local Administrators group by using the Local Users and Groups tool on the computer of the domain member (select Administrative tools > Computer Management > Local Users and Groups tool). On a domain controller computer that does not have a local Administrators group or Local Users and Groups tool, manually add the user account to the Administrators group in the domain (select Administrative tools > Active Directory Users and Computers tool).