Problem
How to setup user rights/permissions for BESA
and
What permissions are required for the Backup Exec account to perform Exchange backup.
Solution
Veritas QuickAssist (VQA) can assist in verifying permissions and the Backup Exec Exchange account.
1. The password for the Backup Exec System Logon Account (Configuration and Settings | Logon Accounts | Manage Logon Accounts and/or the Backup Exec Service Account (BESA) (Configuration and Settings | Backup Exec Services | Edit Credentials need to match the password set in Active Directory.
2. Check all the basic Backup Exec permissions. This can be done with Group Policy Management Console on a domain controller or Local Security Policy on the Media server. If the Local Policies are locked out by a Group Policy, the permissions will need to be added to the Group Policy Management Console at the domain controller.
- Act as part of the operating system
- Backup files and directories
- Create a token object
- Log on as a batch job
- Log on as a service
- Manage auditing and security log (BE 2010 R3 and later)
- Restore files and directories
- Take ownership of files and other objects
Directions:
- On the local machine Press the Windows logo key + R to open the RUN dialogue
- Type gpedit.msc in the text box, and then click OK or press ENTER
- Browse to "\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment" and add the user to each policy listed above.
- On the Domain controller Press the Windows logo key + R to open the RUN dialogue
- Type gpmc.msc in the text box, and then click OK or press ENTER
- Right click and select Edit... for the group policy the machine is in.
- Browse to \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and add the user to each policy listed above.
The Backup Exec account must have the following permissions for backing up Exchange:
1. The account must be an Exchange Full Administrator, Exchange Organization Administrator, and Organization Management (Exchange 2010 and above) at the top level of Exchange.
2. The account must have local administrative rights on the Exchange Server.
3. The account must have an active mailbox on the Exchange Server.
4. The account must have received an e-mail via the mailbox.
5. The account must have sent an e-mail via the mailbox.
6. The account must be named so that it is unique within 5 characters. (Refer to the article below for steps to test this).
7. The account must be visible to the Global Address List, not hidden.
8. Make sure the default system logon account of Backup Exec and Backup Exec Service Account are the same.
Confirm that an Exchange mailbox name is unique within the Exchange organization when configuring Backup Exec to back up Exchange mailboxes
From Backup Exec console Click Configuration and Settings | Logon Accounts | Manage Logon Account, Eensure that a System Logon Account is present. If not create a System Logon Account by clicking the System Account button.
Make sure the Backup Exec remote agent service is running on Local System Account.
For assistance on this task: https://www.veritas.com/docs/000041700