Skip to main content
Barracuda MSP Partner Toolkit

Preparing For Mailbox Level Backups

Before you can run a Mailbox Level backup, there are some configuration changes you will need to make to your Exchange server.  The first thing you will need is a service account to run the backups with.  This service account must have the necessary permissions to retrieve mail from each mailbox you intend to back up.  In addition, there are some settings you may need to change on the server to ensure the backups run smoothly.  This article will give you the steps to prepare your system for Mailbox Level backups.


Creating a Service Account

First, create a new user mailbox.  It is important there be both a domain user account and a mailbox belonging to that user. The mailbox should not be hidden from the GAL.

Next, add that user to the appropriate groups or roles.  Depending on which version of Exchange you are backing up, those may be different:

  Exchange 2007 Exchange 2010 Exchange 2013 / 2016
Group(s) / Role(s)

Organization Administrator

Application Impersonation

Organization Management

Application Impersonation

Organization Management

Discovery Management

Application Impersonation

Application Impersonation

To grant the service account user Application Impersonation rights, use the following Exchange Management Shell commands:

For Exchange 2007...

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity ServiceAccount | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User ServiceAccount -ExtendedRights ms-Exch-EPI-May-Impersonate}


For Exchange 2010 / 2013 / 2016...

New-ManagementRoleAssignment –Name:ImpersonationAssignmentName –Role:ApplicationImpersonation –User:ServiceAccount

...where ServiceAccount is the name of the service account you will use to perform Mailbox Level backups and ImpersonationAssignmentName is the name you give the assignment (can be anything).


Enabling PowerShell Remoting

  1. The first step is to enable PowerShell remoting if not already enabled.  To check if PowerShell remoting is enabled, run the following command from an elevated PowerShell session:

    Enter-PSSession -ComputerName localhost

    Successfully establishing a PowerShell session will look like this:

    A failed attempt to establish a PowerShell session will look like this:

  2. If you are unable to successfully run the command from step (1), use this command in an elevated PowerShell session to enable PowerShell remoting:

    Enable-PSRemoting -Force

    When done, the computer will be able receive remote PowerShell commands.  The next step is to allow PowerShell authentication (if Exchange is hosted on a Windows Server 2008 (non-R2) server, skip to here.)

  3. Open Internet Information Services (IIS) Manager and then drill down to Sites > Default Web Site and click on PowerShell from the list that drops down.  Then, double-click on Authentication in the IIS section.

    Right-click on Basic Authentication and select Enable.

  4. If the Exchange server is on a Windows Server 2008 (non-R2) machine, use the following command to enable Basic Authentication:

    winrm set winrm/config/service/auth '@{Basic="true"}'


Disabling EWS Throttling

This step is optional but is strongly recommended.  It has been shown that EWS throttling may interfere with the Mailbox Level backups and prevent them from completing fully and successfully.  Also, disabling EWS throttling may allow the backups to run more quickly.  More information about client throttling can be found here.  Exchange 2007 does not have configuration options for throttling policies so there is nothing to change if using Exchange 2007.  To disable EWS throttling, use the following Exchange Management Shell commands:

  1. Create a throttling policy...

    New-ThrottlingPolicy <Policy>

    ...where <Policy> is the name you choose for the throttling policy.  This can be anything you choose.

  2. Specify the nature of the throttling policy.  For Exchange 2010 use:

    Set-ThrottlingPolicy <Policy> -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null -EWSMaxConcurrency $null -EWSMaxSubscriptions $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null

    For Exchange 2013 and 2016 use:

    Set-ThrottlingPolicy <Policy> -EWSCutoffBalance Unlimited -EWSMaxBurst Unlimited -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -EWSRechargeRate Unlimited -IsServiceAccount:$true

  3. Apply the throttling rule.

    Get-Mailbox | Set-Mailbox -ThrottlingPolicy <Policy>

  • Was this article helpful?