Privileges

To help ensure that a Microsoft Exchange agent can work in your IBM Spectrum Protect Plus environment, you must set up the appropriate privileges for the Exchange user account.

Role-based access control

You are required to register the Exchange Server with IBM Spectrum Protect Plus with an Exchange user that has local administrator privileges and the correct role-based access control (RBAC) permissions.

Also, for granular restore operations you are required to use an Exchange user that has local administrator privileges and the correct RBAC permissions.

Minimum requirements for the Exchange user:

  1. Verify that the Exchange user is a member of a local Administrator group and has an active Exchange mailbox in the domain.
    By default, Windows adds the Exchange Organization Administrators group to other security groups, including the local Administrators group. For Exchange users who are not members of the Exchange Organization Management group, you must manually add the user account to the local Administrators group:
    • On the computer of the domain member, click Administrative tools > Computer Management > Local Users and Groups tool.
    • On a domain controller computer that does not have a local Administrators group or Local Users and Groups tool, manually add the user account to the Administrators group in the domain: Click Administrative tools > Active Directory Users and Computers tool.
  2. Set the role and scope.
    • Verify that the Exchange user has the correct RBAC permissions.
      You must assign the following management roles to each Exchange user that does mailbox restore operations:
      • Active Directory Permissions
      • ApplicationImpersonation
      • Databases
      • Disaster Recovery
      • Mailbox Import Export
      • Public Folders
      • View-Only Configuration
      • View-Only Recipients

      Place users that you want to do mailbox restore tasks into an Exchange Server role group that contains these roles.

      Exchange Server includes several built-in role groups. The Organization Management role group by default contains most, if not all of the roles that are listed.

      Place the user that you want to do mailbox restore tasks into the Organization Management role group (ensuring it contains all of the listed roles).

      Alternatively, you can place the user into another role group that you created or any other built-in role group that contains the roles that are listed.
      Note: A user whose name is not in the Exchange Organization Management role group or subgroups might experience slower performance when they are completing restore operations.
      Important: You can manage Exchange role groups by using the Exchange Admin Center (EAC) or Exchange Powershell Cmdlets only if your user name is authorized by the security policy in your organization.
    • Management Role Scope
      Ensure that the following Exchange objects are in the management role scope for the Exchange user:
      • The Exchange Server that contains the required data.
      • The recovery database that is created by IBM Spectrum Protect Plus.
      • The database that contains the active mailbox.
      • The database that contains the active mailbox of the user who completes the restore operation.

Encrypting File System

IBM Spectrum Protect Plus for Exchange requires that Encrypting File System (EFS) is enabled in the local or group domain policy, and a valid Domain Data Recovery Agent (DRA) certificate is available. If a custom group policy is defined and linked to the organizational unit, ensure that the Exchange server is part of the organizational unit.

Exchange certificates

Exchange digital certificates must be installed and configured for the mailbox browser to function during a granular restore operation. Ensure that the current Exchange certificates are installed and configured correctly in your environment.
Note: With Exchange 2016 and Exchange 2019, by default the Exchange Server is configured to use Transport Layer Security (TLS). This TLS security encrypts communication between internal Exchange servers, and between Exchange services on the local server.