Granting Mailbox Rights

• Overview
• For Exchange 2000/2003
  
  Step 1: Create a new user
  Step 2: Granting full rights to the new user over the mailboxes located on a specific server
  Step 3: Change service's logon account, restart and access "Add Exchange Mailbox Backup" page
  Step 4: Add the 'MSPST MS' service by modifying the MAPISVC.INF file.
  
• For Exchange 2007/2010
  
  Step 1: Create a new user
  Step 1A: Creating a new mailbox for the new user in Exchange Server 2007/2010
  Step 2: Granting full rights to the new user over the mailboxes located on a specific server
  Step 3: Change service's logon account, restart and access "Add Exchange Mailbox Backup" page
  Step 4: Add the 'MSPST MS' service by modifying the MAPISVC.INF file.
  

Overview

Exchange Mailbox Level Backup requires "Full Mailbox Access" permission for the user account under which service runs on the Exchange Server(2000/2003/2007/2010) machine. If you encounter any error while accessing "Add Exchange Mailbox Backup" page in the webconsole, you may need to grant full mailbox access to that specific account.

If your logon account is a member of the group(s) for which access to the Mailboxes is denied, then you cannot list the Mailboxes using that account, even if you have full administrative rights to the Exchange System as the mailbox rights are explicitly denied.

However, in Exchange Server 2000/2003/2007/2010, Mailbox backup and restore can be performed by granting full mailbox rights to a specific user account under which service runs.

If you encounter any error while accessing "Add Exchange Mailbox Backup" page in the webconsole, then follow the steps given below to resolve the issue:

1. Create a new user (and a mailbox for this user) with sufficient rights through Active Directory Users and Computers.

2. Assign "Full Mailbox Access" permission to that new user.

3. Use this new account with full mailbox rights as service's logon account and restart service. Specify the display name of this account [and global catalog server name in case of Windows Server 2008 machines] in the page that opens on clicking the link shown at the bottom of the tree view section and check if mailboxes are listed successfully.

4. [This step not required for just listing the exchange mailboxes] Add the 'MSPST MS' service by modifying the MAPISVC.INF file
   
   NOTE: The 3 steps mentioned above should resolve the issue in listing the Mailbox users in the "Add Exchange Mailbox Backup" page. However 'MSPST MS' service should be added in the MAPISVC.INF file to successfully backup the Exchange users mailbox.
   
   NOTE: Usually, for 64-bit machines, where MAPI 32-bit client component is installed manually, You may not need to edit the MAPISVC.INF file for successfully dumping the Exchange mailboxes.

Go To Top  ↑

For Exchange Server 2000/Exchange Server 2003

Step 1 : Create a new user

1. Go to START menu, then to Administrative Tools and then to Active Directory Users and Computers.

2. In Active Directory Users and Computers MMC (Microsoft Management Console) , Go to Users and right click on it. In the menu items displayed, choose New and then User.

   

3. In the dialog box opened for a new user, provide the name details. For example, let the first name, full name and the user logon name be <BACKUPUSER>. Click Next to go the next page.

   

4. Provide the password for this user and check the check boxes for User cannot change password and Password never expires. Click Next to go the next page.

   

5. Choose the Alias, Server and the Mailbox Store and click Next to go to the next page.

   

6. Click Finish to complete creating a new user with his details displayed in the current dialog box.

   

7. After creating the new user successfully, the new user <BACKUPUSER> will be displayed in the list of users in the main window for Active Directory Users and Computers.

   

8. Right click on the user <BACKUPUSER> and click Properties.

   

9. In the <BACKUPUSER> Properties dialog box, click the Member Of tab.

   

10. Add Administrators and Domain Admins to the user <BACKUPUSER> by using the Add buttons.

    

11. Make sure the new user is a member of only the following 3 groups: Administrators, Domain Users, Domain Admins. Do not add any more user group. Doing so may deny any of the necessary accesses to the mailboxes to the new user still rendering the mailboxes unable to be listed.

12. Click Apply and then OK.

13. Restart the Microsoft Exchange Information Store service.

Go To Top  ↑

Step 2 : Granting full rights to the new user over the mailboxes located on a specific server

1. Start Exchange System Manager.

2. Go to your server object within the appropriate 'Administrative Group'. Right-click on it and choose Properties.

   

3. In the Properties dialog box go to the Security tab.

   

4. Click Add and then choose the new user <BACKUPUSER> that you want to grant access to the mailboxes.

5. After adding the user <BACKUPUSER>, make sure that the user <BACKUPUSER> is selected in the 'Name' box.

6. In the 'Permissions' list, check the check box(if not checked) for 'Allow' next to 'Full Control', and then click on OK.

   

   Note: Ensure that the 'Deny' checkbox seen next to the Send As and Receive As permissions options are not checked.

7. Click Ok to finish.

   

NOTE:
- Make sure that the new user account created is not disabled [This can be verified from Active Directory Users and Computers].
- Make sure that the new user account created is not hidden from Exchange address lists [This can be verified from Active Directory Users and Computers, in Exchange Advanced tab in Properties dialog box for this user.]

Go To Top  ↑

Step 3 : Change service's logon account, restart and access "Add Exchange Mailbox Backup" page

1. Use the new account as service's logon account.

   NOTE : Make sure that the logon account for service looks like an E-mail ID [backupuser@domain] and not like "domain\backupuser" or ".\backupuser" or in any other form. Use the browse button to select the user account under which service should run.

2. Restart .

3. Now login to webconsole and access the Backup -> Plugin Backups -> Exchange Mailbox page. If Exchange Mailboxes are not listed, there will be a link at the bottom of the mailbox tree view section with text,
   If the Exchange Mailboxes are not listed here, click here to edit/modify the Exchange Mailbox Backup Configuration to list and backup the Exchange Mailboxes.

4. Clicking the link will take you to a page where you will be asked for Display Name [Profile Mailbox Name] of the new user.
   - Display Name of the user account can be known by opening the Active Directory Users and Computers interface and then going to the user name and selecting the Properties

   NOTE: The above page can also be directly accessed by the URL http://MACHINENAME:6060/xchangeoptions.sgp?xopt=18 after logging into web console

If Exchange Mailboxes can be listed with the details provided, you will be redirected automatically to Add Exchange Mailbox Backup page from where you can configure Mailbox backups.

Go To Top  ↑

Step 4 : Add the 'MSPST MS' service by modifying the MAPISVC.INF file.

NOTE: This step is not required for listing the Exchange Mailboxes in 'Add Exchange Mailbox Backup' page. Editing MAPISVC.INF file is required only for dumping the Exchange Mailboxes, if appropriate entries are not available.

The MAPISVC.INF file should have the information of the Microsoft Personal Folder store service. If this file does not have this information, then the Exchange Mailbox dump will fail with an error indicating that it was "Unable to create the PST file" [or] "No new/modified files for backup".

The MAPISVC.INF file is usually located in the Windows system directory (e.g.C:\Winnt\System32\ or C:\Windows\System32\).

Verify the file has an entry for the Microsoft Personal Folder store service. You can determine this by looking for the following information. If this information is not in the file then you need to add it in the proper sections:

Note: Please take copy of your "MAPISVC.INF" file before making any changes.

[Services]
MSPST MS=Personal Folders File (.pst)

[MSPST MS]
Providers=MSPST MSP
PR_SERVICE_DLL_NAME=mspst.dll
PR_SERVICE_INSTALL_ID={6485D262-C2AC-11D1-AD3E-10A0C911C9C0}
PR_SERVICE_SUPPORT_FILES=mspst.dll
PR_SERVICE_ENTRY_NAME=PSTServiceEntry
PR_RESOURCE_FLAGS=SERVICE_NO_PRIMARY_IDENTITY

[MSPST MSP]
34140102=4e495441f9bfb80100aa0037d96e0000
PR_PROVIDER_DLL_NAME=mspst.dll
PR_SERVICE_INSTALL_ID={6485D262-C2AC-11D1-AD3E-10A0C911C9C0}
PR_RESOURCE_TYPE=MAPI_STORE_PROVIDER
PR_RESOURCE_FLAGS=STATUS_DEFAULT_STORE
PR_DISPLAY_NAME=Personal Folders
PR_PROVIDER_DISPLAY=Personal Folders File (.pst)

Points to remember regarding the above content:

1. In your MAPISVC.INF file, search for the text [Services]. If it is found in the file, just add the following line under [Services] if the following line does not exist under [Services].

   ---

   MSPST MS=Personal Folders File (.pst)

   ---

   If the text [Services] is not found in the file, then you can add both the lines given below to your MAPISVC.INF file.

   ---

   [Services]
   MSPST MS=Personal Folders File (.pst)

   ---

2. In your MAPISVC.INF file, search for the text [MSPST MS]. If it is found in the file, verify whether the content under this [MSPST MS] is the same as the content shown above. If the text [MSPST MS] is not found in the file, then you can add the complete entry of [MSPST MS] as given above.

3. In your MAPISVC.INF file, search for the text [MSPST MSP]. If it is found in the file, verify whether the content under this [MSPST MSP] is the same as the content shown above. If the text [MSPST MSP] is not found in the file, then you can add the complete entry of [MSPST MSP] as given above.

For more information on the format of the MAPISVC.INF file see the following Microsoft article:
http://support.microsoft.com/kb/294470

After modifying the MAPISVC.INF file, schedule the Exchange mailbox backup and check if the dump process runs successfully without any issues.

Go To Top  ↑

For Exchange Server 2007/2010

uses Microsoft's MAPI client component installed in the Exchange Server to backup the Exchange Mailboxes. For 64-bit environment the MAPI client component is yet to be released by Microsoft. Currently, uses its 32-bit exe to list, backup and restore the Exchange Mailboxes in 64-bit machines. To accomplish this, 32-bit exe requires Microsoft's 32-bit MAPI client component.

To perform Exchange 2007/2010 Mailbox Level Backup, install the standalone version of MAPI from the Microsoft site. You can download the MAPI 32-bit client component from the URL below, Download Standalone version of MAPI

TCP Port 32008(Windows 64-bit OS)

From 2.4 Exchange Mailbox backup and restore is supported for Exchange Server 2007/2010. 64-bit client exe can send the backup request to the 32-bit client exe on port 32008 running in the same machine. If a Client is behind a NAT/Firewall then this port needs to be opened to enable Exchange 2007/2010 Mailbox backup and restore to be performed. Opening up this port is mandatory for the core Exchange 2007/2010 Mailbox functionality of backup and restore to work in . By default the port used by for Exchange 2007/2010 Mailbox backup is 32008. But it can be modified by changing the 'MAPI32Bit' attribute in the 'Ports' tag in the SGConfiguration.conf file located in <INSTALLATION_HOME>/conf folder.

Go To Top  ↑

Step 1 : Create a new user

1. Go to START menu, then to Administrative Tools and then to Active Directory Users and Computers.

2. In Active Directory Users and Computers MMC (Microsoft Management Console) , Go to Users and right click on it. In the menu items displayed, choose New and then User.

   

3. In the new window opened for a new user, provide the name details. For example, let the first name, full name and the user logon name be <BACKUPUSER>. Click Next.

   

4. Provide the password for this user and check the check boxes for User cannot change password and Password never expires. Click Next.

   

5. Click Finish to complete creating a new user with his details displayed in the last window.

   

6. After creating the new user successfully, the new user <BACKUPUSER> will be displayed in the list of users.

7. Right click on the user <BACKUPUSER> and click Properties.

   

8. In the <BACKUPUSER> Properties window opened, click the Member Of tab.

   

9. Add Administrators and Domain Admins rights to the user <BACKUPUSER>.

   

10. Make sure this user is a member of only the following 3groups: Administrators, Domain Users, Domain Admins. Do not add any more user group. Doing so may deny any of the necessary accesses to the mailboxes to the new user still rendering the mailboxes unable to be listed.

11. Click Apply and then OK.

Go To Top  ↑

Step 1A : Creating a new mailbox for the new user in Exchange Server 2007/2010

• For Exchange Server 2007:

  Open the "Exchange Management Shell" and type the following command to create a new mailbox for the user <BACKUPUSER> within the database named "Mailbox Database" which is inside the "First Storage Group" in the exchange server named "EX2007".

  Enable-Mailbox <BACKUPUSER@DOMAIN> -Database "EX2007\First Storage Group\Mailbox Database"

  

• For Exchange Server 2010:

  Open the "Exchange Management Shell" and type the following command to create a new mailbox for the user <BACKUPUSER>.

  Enable-Mailbox <BACKUPUSER@DOMAIN>

  

After creating new mailbox for the user <BACKUPUSER> restart the Microsoft Exchange Information Store service.

Go To Top  ↑

Step 2 : Granting full access to the new account, over all the Exchange 2007/2010 mailboxes present in the server

Get-MailboxDatabase | Add-ADPermission -user <BACKUPUSER> -AccessRights GenericAll

NOTE:
- Make sure that the new user account created is not disabled [This can be verified from Active Directory Users and Computers].
- Make sure that the new user account created is not hidden from Exchange address lists [This can be verified from Exchange Management Console, in General tab in Properties dialog box for this user.]

Go To Top  ↑

Step 3 : Change service's logon account, restart and access "Add Exchange Mailbox Backup" page

1. Use the new account as service's logon account.

   NOTE : Make sure that the logon account for service looks like an E-mail ID [backupuser@domain] and not like "domain\backupuser" or ".\backupuser" or in any other form. Use the browse button to select the user account under which service should run.

2. Restart .

3. Now login to webconsole and access the Backup -> Plugin Backups -> Exchange Mailbox page. If Exchange Mailboxes are not listed, there will be a link at the bottom of the mailbox tree view section with text,
   If the Exchange Mailboxes are not listed here, click here to edit/modify the Exchange Mailbox Backup Configuration to list and backup the Exchange Mailboxes.

4. Clicking the link will take you to a page where you will be asked for Display Name [Profile Mailbox Name] of the new user and the Global Catalog Server Name that your exchange server uses [only for Windows Server 2008 machines].
   - Display Name of the user account can be known by opening the Active Directory Users and Computers interface and then going to the user name and selecting the Properties
   - [For Exchange Server 2007/2010 in Windows 2008 machines] You can get the list of Global Catalog Servers that an Exchange Server is using by going to Exchange Management Console -> Server Configuration -> Mailbox -> [Next Column]EXCHANGE_SERVER_NAME -> [Right Click]Properties -> [tab]System Settings -> [title]Global catalog servers being used by Exchange

   NOTE: The above page can also be directly accessed by the URL http://MACHINENAME:6060/xchangeoptions.sgp?xopt=18 after logging into web console

If Exchange Mailboxes can be listed with the details provided, you will be redirected automatically to Add Exchange Mailbox Backup page from where you can configure Mailbox backups.

Go To Top  ↑

Step 4 : Add the 'MSPST MS' service by modifying the MAPISVC.INF file.

NOTE: Normally, for 64-bit machines, where MAPI 32-bit client component is installed manually, there will not be a need to edit the MAPISVC.INF file to dump the Exchange mailboxes successfully. Usually, the mailbox backup will run successfully without editing the MAPISVC.INF file. Schedule the backup once and check if the mailbox backup runs successfully. Follow the instructions below, if still issue persists in dumping the exchange mailboxes.

To perform Exchange 2007/2010 Mailbox Level Backup, you need to install the standalone version of MAPI from the Microsoft site. You can download the MAPI 32-bit client component from the URL below,
Download Standalone version of MAPI

The MAPISVC.INF file should have the information of the Microsoft Personal Folder store service. If this file does not have this information, then the Exchange Mailbox dump will fail with an error indicating that it was "Unable to create the PST file" [or] "No new/modified files for backup".

The MAPISVC.INF file is usually located in the Windows system directory (e.g.C:\Winnt\System32\ or C:\Windows\System32\).

Verify the file has an entry for the Microsoft Personal Folder store service. You can determine this by looking for the following information. If this information is not in the file then you need to add it in the proper sections:

Note: Please take copy of your "MAPISVC.INF" file before making any changes.

[Services]
MSPST MS=Personal Folders File (.pst)

[MSPST MS]
Providers=MSPST MSP
PR_SERVICE_DLL_NAME=mspst.dll
PR_SERVICE_INSTALL_ID={6485D262-C2AC-11D1-AD3E-10A0C911C9C0}
PR_SERVICE_SUPPORT_FILES=mspst.dll
PR_SERVICE_ENTRY_NAME=PSTServiceEntry
PR_RESOURCE_FLAGS=SERVICE_NO_PRIMARY_IDENTITY

[MSPST MSP]
34140102=4e495441f9bfb80100aa0037d96e0000
PR_PROVIDER_DLL_NAME=mspst.dll
PR_SERVICE_INSTALL_ID={6485D262-C2AC-11D1-AD3E-10A0C911C9C0}
PR_RESOURCE_TYPE=MAPI_STORE_PROVIDER
PR_RESOURCE_FLAGS=STATUS_DEFAULT_STORE
PR_DISPLAY_NAME=Personal Folders
PR_PROVIDER_DISPLAY=Personal Folders File (.pst)

Points to remember regarding the above content:

1. In your MAPISVC.INF file, search for the text [Services]. If it is found in the file, just add the following line under [Services] if the following line is not already existing under [Services].

   ---

   MSPST MS=Personal Folders File (.pst)

   ---

   If the text [Services] is not found in the file, then you can add both the lines given below to your MAPISVC.INF file.

   ---

   [Services]
   MSPST MS=Personal Folders File (.pst)

   ---

2. In your MAPISVC.INF file, search for the text [MSPST MS]. If it is found in the file, verify whether the content under this [MSPST MS] is the same as the content shown above. If the text [MSPST MS] is not found in the file, then you can add the complete entry of [MSPST MS] as given above.

3. In your MAPISVC.INF file, search for the text [MSPST MSP]. If it is found in the file, verify whether the content under this [MSPST MSP] is the same as the content shown above. If the text [MSPST MSP] is not found in the file, then you can add the complete entry of [MSPST MSP] as given above.

For more information on the format of the MAPISVC.INF file see the following Microsoft article:
http://support.microsoft.com/kb/294470

After modifying the MAPISVC.INF file, schedule the Exchange mailbox backup and check if the dump process runs successfully without any issues.

References:

1. http://technet.microsoft.com/en-us/library/aa998319.aspx

2. http://www.msexchange.org/articles_tutorials/exchange-server-2007/

Go To Top  ↑