Sales
Denmark +45 7944 7000
Europe +45 7944 7000
North America +1 (202)-536-4165
Support
Denmark +45 7944 7002
North America +1 (202)-536-4165

Steps to configure Application Impersonation rights in Exchange Servers

Modified on Thu, 22 Aug at 11:30 PM

 

Summary

If RealTime Service wants to run and get proper access to calendar information on the Exchange Server, it has to be run under an account that has rights to impersonate other users.

Configuring Impersonation rights in Exchange Server 2007

a) Configure Exchange Impersonation for a user on a server

Open the Shell (Powershell/Exchange Management Shell). Run Add-ADPermission cmdlet to add the impersonation permissions on the server for the identified user.

For example, to grant User1 permission to impersonate all accounts on an Exchange Server named CAS-01, use the following command:

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity User1 | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

b) Configure Exchange Impersonation for a user on a specific user

Open the Shell. Run the Add-ADPermission Windows PowerShell command to add permission to impersonate an identified user.

For example, to grant User1 permission to impersonate User2, use the following command:

Add-ADPermission -Identity "User2" -User User1 -extendedRight ms-Exch-EPI-May-Impersonate

 

Configuring Impersonation rights in Exchange Server 2010

a) Configure Exchange Impersonation for all users in an organization

Open the Shell. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate to the specified user.

For example, to configure Exchange Impersonation to enable a service account named “Administrator” to impersonate all other users in an organization, use the following command:

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:Administrator

b) Configure Exchange Impersonation for specific users or groups of users

Open the Shell. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned.

For example, to creates the AOC Databases scope and sets a database restriction filter that matches only the databases that begin with the string "SEA", use the following command:

New-ManagementScope -Name "AOC Databases" -DatabaseRestrictionFilter {Name -Like "SEA*" }  

Remark: If an existing scope is available, you can skip this step. More details about management scope can be found here.

After that, run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope.

For example, the following command configures Exchange Impersonation to enable a service account named “Administrator” to impersonate all users in the AOC Databases scope:

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:Administrator –CustomRecipientWriteScope:AOC Databases

 

Configuring Impersonation rights in Exchange Server 2013 and Exchange Online

Open the Shell by selecting: Start ⇒ All Programs ⇒ Microsoft Exchange Server 2013⇒ Exchange Management Shell.

To configure impersonation for all users in an organization

Run the New-ManagementRoleAssignment cmdlet to add the impersonation permission to the specified user. The following example shows how to configure impersonation to enable a service account to impersonate all other users in an organization.

New-ManagementRoleAssignment –name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount

To configure impersonation for specific users or groups of users

  1. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. The following example shows how to create a management scope for a specific group.

New-ManagementScope –Name:scopeName –RecipientRestrictionFilter:recipientFilter

The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. You can use the properties of the Identity object to create the filter. The following example is a filter that restricts the result to a single user with the user name "john."

Name –eq "john"

  1. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The following example shows how to configure a service account to impersonate all users in a scope.

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName

 

Properties

Reference: TFS #2262

Knowledge base ID: 0021

Last updated: Feb 23, 2016

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article