Privileges

To help ensure that a Microsoft Exchange agent can work in your IBM Spectrum Protect Plus environment, you must set up appropriate privileges.

Role-based access control

For IBM Spectrum Protect Plus security, users who are logged on to the Exchange Server must have role-based access control (RBAC) permissions to access mailboxes and to complete mailbox restore tasks.

If your user name is authorized by the security policy in your organization, you can add user names in the Exchange Organization Management role group or subgroups. A user whose name is in the Exchange Organization Management role group or subgroups can complete mailbox restore operations. A user whose name is not in the Exchange Organization Management role group or subgroups might experience slower performance when completing restore operations.

You must define a minimum set of management roles and role scope for the Exchange user.

You must assign the following management roles to each Exchange user: Active Directory Permissions, Databases, Disaster Recovery, Mailbox Import Export, View-Only Configuration, and View-Only Recipients.

To restore an Exchange public folder mailbox, the Exchange user must also have the Public Folders management role. To restore mail to a Unicode PST file, the Exchange user must have the Mailbox Import Export management role.

To assign management roles to a user, use an Exchange Powershell cmdlet as shown in the following example:

New-RoleGroup -Name "My Admins" -Roles "Active Directory Permissions", "Databases", "Disaster Recovery", "Mailbox Import Export", "Public Folders", "View-Only Configuration", "View-Only Recipients" -Members operator1

The preceding example creates a group, My Admins, with minimum roles to run the IBM Spectrum Protect Plus Exchange agent, and assigns user operator1 to this group. The operator1 user can run the IBM Spectrum Protect Plus Exchange agent but with limited Exchange privileges; for example, the user cannot create or remove a user mailbox.

Management role scope:

Ensure that the following Exchange objects are in the management role scope for the Exchange user:
  • The Exchange Server that contains the required data
  • The recovery database that IBM Spectrum Protect Plus creates
  • The database that contains the active mailbox
  • The database that contains the active mailbox of the user who completes the restore operation

Verify that the Exchange user name is a member of a local Administrator group and has an active Exchange mailbox in the domain. By default, Windows adds the Exchange Organization Administrators group to other security groups, including the local Administrators group. For Exchange users who are not members of the Exchange Organization Management group, you must manually add the user account to the local Administrators group by using the Local Users and Groups tool on the computer of the domain member.

On the computer of the domain member, click Administrative tools > Computer Management > Local Users and Groups tool. On a domain controller computer that does not have a local Administrators group or Local Users and Groups tool, manually add the user account to the Administrators group in the domain by clicking Administrative tools > Active Directory Users and Computers tool.

Encrypting File System

IBM Spectrum Protect Plus for Exchange requires that Encrypting File System (EFS) is enabled in the local or group domain policy, and a valid Domain Data Recovery Agent (DRA) certificate is available. If a custom group policy is defined and linked to the organizational unit, ensure that the Exchange server is part of the organizational unit.