Configure Permissions
The user account running ExMerge clearly needs access rights to the processed mailboxes. Getting the necessary permissions to run ExMerge is the trickiest part. If we look at the articles available from Microsoft Support we find a number of these addressing this topic (see references). The procedure I present here is largely based on the merger of these articles. I also include extra details where it matters most.
On the XP/2000 Pro machine the user account only requires to be a Standard User (Power User Group).
-
To set the rights, at the server we first create a security group to hold all user accounts running ExMerge. We will call this group ExMerge to be consistent with the MS support articles. Once created add the user accounts to its membership list.
Note: At this stage it is easier to work with accounts that have no Administrative role in Exchange. This helps us avoid hitting into issues related to permission inheritance that too often cause confusion.
-
At the Exchange Server, delegate 'Exchange View Only Administrator' control to the newly created security group.
Unless we do this, ExMerge would fail on enumerating the private information stores and would return an error saying: "Error getting list of private information store databases on server..."
This delegation of control could be done at the Organization or the Administrative Group level. I will do the former since most Exchange organizations only have one Administrative Group and don't even expose these at the Exchange System Manager.
-
On the Exchange Server open the Exchange System Manager
Right-click the Organization object and select Delegate Control
Move ahead with the wizard and click Add
-
At the Delegate Control dialog, click on Browse and select the ExMerge security group
Set the Role to 'Exchange View Only Administrator'
Click Ok to close the dialog and add ExMerge to the list
Complete the Wizard to save changes
-
Give the ExMerge security group full control permissions on the relevant Mailbox Stores.
At this stage we are still missing the rights over the Exchange mailboxes. Specifically we need the Send As/Receive As permissions over those mailboxes against which ExMerge will run.
-
Open the properties for the Mailbox Store
-
Select the Security property page and locate the ExMerge group entry. This should have been created by the Delegate Control wizard on assigning the 'Exchange View Only Administrator' role.
-
Click on the Full Control Allow check-box to allocate all the permissions not yet inherited. This should include the Send As and Receive As permissions.
Note: If the ExMerge security group was not newly created as specified here make sure that the group is not currently denied the Send As and Receive As permissions. In that case click the Advanced button at the security page and assign Full Access permissions so as to override any denied permissions.
Click OK to save changes.
Final Tips
It was indeed a long journey, but finally everything should now be in place. It is time to fire ExMerge.exe that is waiting under the Exchange bin directory! Try a simple export to confirm everything is in place. If you come across errors, restart the Exchange Information Store service so as to force the new permissions to go live.
You are now set for your brick level backups. ExMerge has many options worth exploring. Take some time to read ExMerge.doc and learn how to best use this tool.
References
Windows Server 2003 Administration Tools Pack AdminPak.msi
ExMerge Download - Tools for Exchange Server 2003
How to configure the administrator account to use ExMerge 2003 in Exchange 2003
How to configure an account to use the ExMerge utility in Exchange 2000 Server and in Exchange Server 2003
When the Mailbox Merge Program Tries to Open the Message Store, the Operation Is Unsuccessful