The reason for specific rights is explained in the
NBU for Echange Admin Guide:
For Exchange 2010, NetBackup uses Microsoft Exchange Web Services (EWS) to support a backup that uses the Granular Recovery Technology (GRT).EWSprovides support for the restore of individual mailboxes, mail messages, and public folders from an Exchange 2010 database backup.
....
NetBackup also creates an impersonation role and a role assignment for Exchange Impersonation. Exchange Impersonation role assignment associates the impersonation role with the NetBackup resource credentials you specify for the restore job.
NetBackup creates and assigns the following roles:
■ SymantecEWSImpersonationRole
■ SymantecEWSImpersonationRoleAssignment
About the NetBackup service account
NetBackup must have administrator access to Exchange mailboxes and public folders so it can do the following:
■ Enumerate mailboxes when defining a policy
■ Perform MAPI mailbox and public folder backups (Exchange 2007 and earlier)
■ Restore mailbox and public folder objects from MAPI backups or backups that use Granular Recovery Technology (GRT).
To provide this access, the NetBackup Client Service must be associated with a valid Exchange mailbox. Symantec recommends that you create a uniquely named mailbox and that the NetBackup Client Service uses the same account that runs Exchange Services.
Review the following prerequisites before you create an account for the NetBackup Client Service:
■ Ensure that the NetBackup service account has domain privileged rights.
■ Verify that the NetBackup service account mailbox is not hidden.
If in a cluster or replicated environment, perform the steps in the following procedures on each Exchange node.