Granting permissions on the Exchange Server to enable database backups and restores, and Granular Recovery Technology operations

Last published : Apr 02, 2026
A user account must access mailboxes on the Exchange Server to perform Backup Exec operations. To gain access to the Exchange Server, you must have full access permissions on the Exchange Server. If you want to restrict the access on the Exchange Server, you can grant minimal permissions that enable users to perform database backups and restores and Granular Recovery Technology (GRT) operations.
Ensure that the user account has local administrator's rights on the Exchange Server and then use one of the following methods to grant the permissions:
  • Grant full access permissions at the Organization Administrators or Organization Management level. It is recommended that the user account have full Exchange permissions on the Exchange Server to perform Backup Exec operations.
Permissions are then propagated automatically to any new Exchange Servers that you add under the level at which the permissions are assigned.
Note: You must have Exchange administrative permissions to grant permissions to other accounts.
  • If the user account cannot have full Exchange permissions for Backup Exec operations, you can grant minimal permissions. Minimal permissions let users perform database backups and restores and Granular Recovery Technology operations explicitly on each Exchange Server.
If you grant permissions explicitly and then add another Exchange Server, you must grant permissions explicitly on the added server as well.
Granting minimal permissions for a user account to perform database backups and restores of Exchange Servers
Granting minimal permissions for a user account to support Granular Recovery Technology on Exchange Servers
Granting minimal permissions for a user account to perform database backups and restores of Exchange Servers
You can grant minimal permissions for a user account that let you perform database backups and restores of an Exchange Server.
To grant full permissions for Microsoft Exchange, use an account with the Organization Management role.
To grant minimal permissions for a user account to perform database backups and restores of an Exchange Server
  • Do one of the following:
    To grant permissions for a user account using or the Exchange Admin Center in Microsoft Exchange Add the user account to the following roles\:
    - Public Folder Management
    - Recipient Management
    - Server Management
    To grant permissions for a user account using the Exchange Management Shell Do the following in the order listed\:
    - Type the following command: new-RoleGroup -Name -Roles @("Database Copies", "Databases", "Exchange Servers", "Monitoring", "Mail Recipient Creation", "Mail Recipients", "Recipient Policies" "Mail Enabled Public Folders", "Public Folders") For example: new-RoleGroup -Name BackupExecRoles -Roles @("Database Copies", "Databases", "Exchange Servers", "Monitoring", "Mail Recipient Creation", "Mail Recipients", "Recipient Policies", "Mail Enabled Public Folders", "Public Folders")
    - Type the following command: Add-RoleGroupMember -Identity -Member For example: Add-RoleGroupMember -Identity BackupExecRoles -Member BackupExecUser
Granting minimal permissions for a user account to support Granular Recovery Technology on Exchange Servers
You can grant minimal permissions for a user account that let you support only Granular Recovery Technology (GRT) on an Exchange Server.
For more information about recipient scope, see the Microsoft Exchange documentation.
To grant permissions for a user account to support only Granular Recovery Technology on an Exchange Server using the Exchange Management Shell
  1. Type the following command:
New-ManagementRole -Name "<management role name>" -Parent ApplicationImpersonation
For example:
New-ManagementRole -Name "EWSImpersonationRole" -Parent ApplicationImpersonation
  1. Type the following command:
New-ManagementRoleAssignment -Role "<management role assignment name>" -User <user name> -Name "<assignment name>"
For example:
New-ManagementRoleAssignment -Role "EWSImpersonationRole" -User BackupExecUser -Name "BackupExecUser-EWSImpersonation"
  1. Do the following:
    For Exchange 2013 or later Type the following command\:
    New-ThrottlingPolicy -Name "" -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsMaxConcurrency Unlimited -ExchangeMaxCmdlets Unlimited -MessageRateLimit Unlimited -PowershellCutoffbalance Unlimited -PowershellMaxBurst Unlimited -PowershellMaxCmdlets Unlimited -PowershellMaxConcurrency Unlimited -PowershellMaxOperations Unlimited -RecipientRateLimit Unlimited -ThrottlingPolicyScope Regular
    For example:
    New-ThrottlingPolicy -Name "EWSRestoreThrottlingPolicy" -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsMaxConcurrency Unlimited -ExchangeMaxCmdlets Unlimited -MessageRateLimit Unlimited -PowershellCutoffbalance Unlimited -PowershellMaxBurst Unlimited -PowershellMaxCmdlets Unlimited -PowershellMaxConcurrency Unlimited -PowershellMaxOperations Unlimited -RecipientRateLimit Unlimited -ThrottlingPolicyScope Regular
  2. Type the following command:
Set-Mailbox -Identity <user name> -ThrottlingPolicy "throttling policy name"
For example:
Set-Mailbox -Identity BackupExecUser -ThrottlingPolicy "EWSRestoreThrottlingPolicy"
  1. Type the following command:
Set-ThrottlingPolicyAssocation -Identity <user name> -ThrottlingPolicy "throttling policy name"
For example:
Set-ThrottlingPolicyAssociation -Identity BackupExecUser -ThrottlingPolicy "EWSRestoreThrottlingPolicy"