Support
Login
Your Password

Sales
North America
Phone: +1 (905)-655-9262
Fax: +1 (905)-655-9395
Email: info@add-on.com

Europe
Phone: +45 7944 7000
Fax: +45 7944 7001

China
Phone: +86 (21) 2221 8396
Email: info-china@add-on.com
Support
Denmark
+45 7944 7002

Europe
+44 (0) 203 002 3889

North America
+1 (202)-536-4165
Knowledgebase: Resource Central
KB0021 - Steps to configure Application Impersonation rights in Exchange Servers

 

Summary

If RealTime Service wants to run and get proper access to calendar information on the Exchange Server, it has to be run under an account that has rights to impersonate other users.

Configuring Impersonation rights in Exchange Server 2007

a) Configure Exchange Impersonation for a user on a server

Open the Shell (Powershell/Exchange Management Shell). Run Add-ADPermission cmdlet to add the impersonation permissions on the server for the identified user.

For example, to grant User1 permission to impersonate all accounts on an Exchange Server named CAS-01, use the following command:

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity User1 | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

b) Configure Exchange Impersonation for a user on a specific user

Open the Shell. Run the Add-ADPermission Windows PowerShell command to add permission to impersonate an identified user.

For example, to grant User1 permission to impersonate User2, use the following command:

Add-ADPermission -Identity "User2" -User User1 -extendedRight ms-Exch-EPI-May-Impersonate

 

Configuring Impersonation rights in Exchange Server 2010

a) Configure Exchange Impersonation for all users in an organization

Open the Shell. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate to the specified user.

For example, to configure Exchange Impersonation to enable a service account named “Administrator” to impersonate all other users in an organization, use the following command:

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:Administrator

b) Configure Exchange Impersonation for specific users or groups of users

Open the Shell. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned.

For example, to creates the AOC Databases scope and sets a database restriction filter that matches only the databases that begin with the string "SEA", use the following command:

New-ManagementScope -Name "AOC Databases" -DatabaseRestrictionFilter {Name -Like "SEA*" }  

Remark: If an existing scope is available, you can skip this step. More details about management scope can be found here.

After that, run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope.

For example, the following command configures Exchange Impersonation to enable a service account named “Administrator” to impersonate all users in the AOC Databases scope:

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:Administrator –CustomRecipientWriteScope:AOC Databases

 

Configuring Impersonation rights in Exchange Server 2013 and Exchange Online

Open the Shell by selecting: Start ⇒ All Programs ⇒ Microsoft Exchange Server 2013⇒ Exchange Management Shell.

To configure impersonation for all users in an organization

Run the New-ManagementRoleAssignment cmdlet to add the impersonation permission to the specified user. The following example shows how to configure impersonation to enable a service account to impersonate all other users in an organization.

New-ManagementRoleAssignment –name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount

To configure impersonation for specific users or groups of users

  1. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. The following example shows how to create a management scope for a specific group.

New-ManagementScope –Name:scopeName –RecipientRestrictionFilter:recipientFilter

The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. You can use the properties of the Identity object to create the filter. The following example is a filter that restricts the result to a single user with the user name "john."

Name –eq "john"

  1. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The following example shows how to configure a service account to impersonate all users in a scope.

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName

 

Properties

Reference: TFS #2262

Knowledge base ID: 0021

Last updated: Feb 23, 2016