A. Granting minimal permissions for a user account to perform non-GRT database backups and restores of Exchange Servers

B. Granting minimal permissions for a user account to perform GRT backups and restores of Exchange Servers

A. For non-GRT database backups and restores of Exchange Server:

Minimal permissions can be granted for a user account (logon account) that allows a user to perform Exchange database backups.

To grant minimal permissions for a user account to perform database backups and restores of an Exchange Server Mailbox Databases.

1. Make sure that the user account is part of local administrator groups on all Exchange servers.

2. Do one of the following 2 steps to assign the user account roles:

2-a) Assign the user account the following roles using the Exchange Management Console / Exchange Admin Center:

• Public Folder Management
• Recipient Management
• Server Management
   

2-b) Assign the user account the following roles using the Exchange Management Shell:

• Type the following command:
  New-RoleGroup -Name -Roles @("Database Copies","Databases", "Exchange Servers", "Monitoring", "Mail Recipient Creation", "Mail Recipients", "Recipient Policies", "Mail Enabled Public Folders","Public Folders")
  Note: Where is the name of the new role group (Ex. BackupExecRoles).
   

• Type the following command:
  Add-RoleGroupMember -Identity -Member
  Note: Where is the same as the command above and is the name of the account used as logon account to backup Exchange.

B. For GRT backups and restores of Exchange Servers:

Minimal permissions can be granted for a user account for the logon account (same as above) used that ensures Granular Recovery Technology (GRT) support on an Exchange Server.

To grant permissions for a user account to support Granular Recovery Technology on an Microsoft Exchange 2010 Server do the following in addition to above listed steps.

1. Create a mailbox for the user account, if it does not already have one
2. Got to Exchange management shell and follow the steps listed below:

• Type the following command:
  New-ManagementRole -Name "VeritasEWSImpersonationRole" -Parent ApplicationImpersonation
  note: it may report this role already exists, if so move to next step
   

• Type the following command:
  New-ManagementRoleAssignment -Role "" -User -Name ""
  For example:
  New-ManagementRoleAssignment -Role "VeritasEWSImpersonationRole" -User BackupExecUser -Name "BackupExecUser-EWSImpersonation"

• Type the following command:
  New-ThrottlingPolicy -Name """ - EWSMaxConcurrency $null -PowerShellMaxConcurrency $null -EWSMaxSubscriptions $null
  For example (Exchange 2010):
  New-ThrottlingPolicy -Name "VeritasEWSRestoreThrottlingPolicy" -EWSMaxConcurrency $null -PowerShellMaxConcurrency $null -EWSPercentTimeInCAS $null -EWSPercentTimeInAD $null -EWSPercentTimeInMailboxRPC $null
  
  For example (Exchange 2013,2016,2019):
  New-ThrottlingPolicy -Name "VeritasEWSRestoreThrottlingPolicy" -EWSMaxConcurrency $null -PowerShellMaxConcurrency $null

• Type the following command:
  Set-Mailbox -Identity -ThrottlingPolicy "throttling policy name"
  For example:
  Set -Mailbox -Identity BackupExecUser -ThrottlingPolicy "VeritasEWSRestoreThrottlingPolicy"
• Type the following command:
  Set -ThrottlingPolicyAssocation "throttling policy name" -Identity -ThrottlingPolicy "throttling policy name"
  For example:
  Set-ThrottlingPolicyAssociation -Identity BackupExecUser -ThrottlingPolicy "VeritasEWSRestoreThrottlingPolicy"

Exchange Server PowerShell reference article